Issue 1936 in google-caja: Deal with Object.observe()
2 views
Skip to first unread message
googl...@googlecode.com
Sep 8, 2014, 1:27:09 PM9/8/14
to google-ca...@googlegroups.com
Status: New
Owner: ----
Labels: Type-Defect Priority-Medium Component-SES
New issue 1936 by kpr...@google.com: Deal with Object.observe()
https://code.google.com/p/google-caja/issues/detail?id=1936
Object.observe is present in Chrome 36. Object.observe can break the
WeakMap emulation. WeakMap has also been enabled in the same version, so
the emulation will not be used in this case.
However, WeakMap.js should, for correctness, do one of:
1. patching Object.observe to suppress the hidden name,
2. deleting Object.observe, or
3. refusing to run.
For plain SES/Caja sandboxing, even if we had observe but not WeakMap,
there would be no effects because Object.observe is not on the SES
whitelist.
There would be a problem if innocent code was using Object.observe on
objects given to it by guest code, and passing information about keys back,
but that is already a potential problem since the host frame isn't patched
to hide the hidden property.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: ----
Labels: Type-Defect Priority-Medium Component-SES
New issue 1936 by kpr...@google.com: Deal with Object.observe()
https://code.google.com/p/google-caja/issues/detail?id=1936
Object.observe is present in Chrome 36. Object.observe can break the
WeakMap emulation. WeakMap has also been enabled in the same version, so
the emulation will not be used in this case.
However, WeakMap.js should, for correctness, do one of:
1. patching Object.observe to suppress the hidden name,
2. deleting Object.observe, or
3. refusing to run.
For plain SES/Caja sandboxing, even if we had observe but not WeakMap,
there would be no effects because Object.observe is not on the SES
whitelist.
There would be a problem if innocent code was using Object.observe on
objects given to it by guest code, and passing information about keys back,
but that is already a potential problem since the host frame isn't patched
to hide the hidden property.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
googl...@googlecode.com
Feb 15, 2015, 2:59:09 PM2/15/15
to google-ca...@googlegroups.com
Updates:
Owner: erights
Comment #1 on issue 1936 by eri...@google.com: Deal with Object.observe()
https://code.google.com/p/google-caja/issues/detail?id=1936
(No comment was entered for this change.)
Owner: erights
Comment #1 on issue 1936 by eri...@google.com: Deal with Object.observe()
https://code.google.com/p/google-caja/issues/detail?id=1936
(No comment was entered for this change.)
Reply all
Reply to author
Forward
0 new messages