Status: New
Owner: ----
Labels: Type-Defect Priority-Medium Component-SES
New issue 1936 by [email protected]: Deal with Object.observe()
https://code.google.com/p/google-caja/issues/detail?id=1936
Object.observe is present in Chrome 36. Object.observe can break the
WeakMap emulation. WeakMap has also been enabled in the same version, so
the emulation will not be used in this case.
However, WeakMap.js should, for correctness, do one of:
1. patching Object.observe to suppress the hidden name,
2. deleting Object.observe, or
3. refusing to run.
For plain SES/Caja sandboxing, even if we had observe but not WeakMap,
there would be no effects because Object.observe is not on the SES
whitelist.
There would be a problem if innocent code was using Object.observe on
objects given to it by guest code, and passing information about keys back,
but that is already a potential problem since the host frame isn't patched
to hide the hidden property.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
