On Tuesday, May 31, 2022 at 6:00:03 PM UTC+2 [email protected] wrote: > I want to note one thing here, kind of a side observation really: > while(1); is valid JS, it's just an infinite loop. Do we also want to > guard against common patterns like this? >
No, I don't think this is a hard requirement. I'm not even sure how much of a common pattern it actually is. On Wednesday, June 1, 2022 at 10:42:27 AM UTC+2 [email protected] wrote: > As I understand it, the intention here is that false-positives for "is JS" are acceptable, and that it's up to the victim site to avoid prefixes that might be JS, but aren't. With that, what's the benefit of a full JS parse over a list of known non-JS prefixes like the one we already have? Admittedly, the whole ORB/CORB thing is a bit weird. What we really want sites to do is to properly label their resources with the correct mime types, because then the entire problem goes away. But because historically browsers don't (always) check mime types, we want some "backup" solution for sites that aren't cooperative. The given "parser breakers" are interesting because they're in use by some sites. (IMHO, "while (1);" is the worst example of them, because that is actually valid JS. But apparently it is being used <https://stackoverflow.com/questions/24640958/strip-out-while1-prepended-to-json-object> .) -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/7e69e4cd-dbaf-40e5-a54f-3de3088504c8n%40googlegroups.com.
