I noticed that even though security tokens between 2 contexts may not match,
you can still write properties which may be disconcerting. As an example:
var vm = require('vm');
var sandbox = {
console: console
};
delete console.a
var script = new vm.Script("console.a = 123","test.js");
script.runInNewContext(sandbox);
console.log(console.a)
console.log(console.a == 123 ? "LEAKING" : "NOT LEAKING");
Currently there is no way to prevent one context from writing to another
context's objects without setting access checks on every object (and
children) passed between them, thus every object which may be given to
another context must have it's access checks turned on. This proves to be
exceedingly difficult because this must be done on ObjectTemplates if we
want to ensure safety when a user may give an arbitrary object between
contexts (otherwise virtually everything must be given an access check which
means you are likely to miss some object).
I think it would be easier if you could simply tell a Context what
AccessControl it has when accessing another context, IE either of the
following (named poorly):
Context::SetAccessForSecurityToken(Handle<Value> securityToken,
AccessControl);
typedef bool (*ContextSecurityCallback)(Handle<Value> securityToken);
Context::SetInterContextAccessCheck(ContextSecurityCallback check);
Does this sound reasonable?
Cheers,
Bradley
--
v8-users mailing list
[email protected]
http://groups.google.com/group/v8-users
