>
> ORB-with-html/json/xml-sniffing shows that some security benefits of ORB
> may be realized without full-fidelity JS sniffing/parsing.
>
>
You may call it a security benefit to block "obvious" parser breakers like
)]}', but in general, any "when in doubt, don't block it" strategy won't be
much of an obstacle to intentional attacks. For instance, once Mr. Bad Guy
has learned that the sniffer only looks at the first 1024 characters, they
can send a response whose first 1024 characters lead to a "well, it *might*
be valid JS" judgement (such as a JS comment, or long string, or whatever).
OTOH any "when in doubt, block it" strategy runs the risk of breaking
existing websites in those doubtful cases.
> (Although the JSON object syntax is exactly Javascript's
> object-initializer syntax, a Javascript object-initializer expression is
> not valid as a standalone Javascript statement.)
There is (at least) one subtlety here: JS is more permissive than the
official JSON spec. The latter requires quotes around property names, the
former doesn't. I.e. {"foo": is indeed never valid JS, but {foo: is (the
brace opens a code block, and foo is a label). Also, the colon is essential
for rejecting the former snippet, because {"foo"; is valid JS (code block
plus ignored string á la "use strict";), so this is a concrete example
where the 1024-char prefix issue is relevant.
> When the sniffer sees:
> [ 123, 456, “long string taking X bytes”,
> then it should block the response when the Content-Type is a JSON MIME type
I don't follow. When the Content-Type is JSON, and the actual contents are
valid JSON, why should that be blocked?
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups
"v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/v8-dev/CAKSzg3TNvd1jd3yH8xyD767ZhbCqhEZJMFmm7nQ%2BtcQcXfjt_g%40mail.gmail.com.
