Re: Issue 1962 in google-caja: Cross-frame for-in is broken on Firefox 37, 38 beta
6 views
Skip to first unread message
googl...@googlecode.com
Apr 8, 2015, 5:55:34 PM4/8/15
to google-ca...@googlegroups.com
Updates:
Summary: Cross-frame for-in is broken on Firefox 37, 38 beta
Comment #5 on issue 1962 by kpr...@google.com: Cross-frame for-in is broken
on Firefox 37, 38 beta
https://code.google.com/p/google-caja/issues/detail?id=1962
Standalone test case (partly constructed from the cajaVM.anonIntrinsics
code).
Bizarrely, the thrown TypeError may appear in the console _before_ the rest
of the messages, depending on version and whether the console is open when
the page is loaded.
<iframe id="tmf" src="about:blank"></iframe>
<script>
var frame = document.getElementById('tmf');
var frwin = frame.contentWindow;
var iteratorSym = frwin.Symbol.iterator;
var arrayIter = (new frwin.Array())[iteratorSym]();
var ArrayIteratorPrototype = Object.getPrototypeOf(arrayIter);
var arrayIterProtoBase = Object.getPrototypeOf(ArrayIteratorPrototype);
var IteratorPrototype = arrayIterProtoBase;
console.log(IteratorPrototype.next);
delete IteratorPrototype.next;
console.log(IteratorPrototype.next);
var tam = frwin.eval('({})');
console.log('(1) About to fail');
for (var x in tam) { console.log('(1)', x); }
console.log('(1) Didn\'t fail');
</script>
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Summary: Cross-frame for-in is broken on Firefox 37, 38 beta
Comment #5 on issue 1962 by kpr...@google.com: Cross-frame for-in is broken
on Firefox 37, 38 beta
https://code.google.com/p/google-caja/issues/detail?id=1962
Standalone test case (partly constructed from the cajaVM.anonIntrinsics
code).
Bizarrely, the thrown TypeError may appear in the console _before_ the rest
of the messages, depending on version and whether the console is open when
the page is loaded.
<iframe id="tmf" src="about:blank"></iframe>
<script>
var frame = document.getElementById('tmf');
var frwin = frame.contentWindow;
var iteratorSym = frwin.Symbol.iterator;
var arrayIter = (new frwin.Array())[iteratorSym]();
var ArrayIteratorPrototype = Object.getPrototypeOf(arrayIter);
var arrayIterProtoBase = Object.getPrototypeOf(ArrayIteratorPrototype);
var IteratorPrototype = arrayIterProtoBase;
console.log(IteratorPrototype.next);
delete IteratorPrototype.next;
console.log(IteratorPrototype.next);
var tam = frwin.eval('({})');
console.log('(1) About to fail');
for (var x in tam) { console.log('(1)', x); }
console.log('(1) Didn\'t fail');
</script>
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
googl...@googlecode.com
Apr 8, 2015, 6:01:11 PM4/8/15
to google-ca...@googlegroups.com
Comment #6 on issue 1962 by eri...@google.com: Cross-frame for-in is
Reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1152550
googl...@googlecode.com
Apr 8, 2015, 8:55:25 PM4/8/15
to google-ca...@googlegroups.com
Updates:
Status: Accepted
Comment #7 on issue 1962 by eri...@google.com: Cross-frame for-in is
From the discussion on the bugzilla bug thread, it looks likely that
Firefox's behavior is correct by ES6 and is simply the first browser to
implement the ES6 behavior here rather than the ES5 behavior. We need to
fix this on the Caja side. The easiest fix, if we decide it is safe, is to
whitelist cajaVM.anonIntrinsics.IteratorPrototype.next .
Does anyone see any problem whitelisting this? If you were going to look
for a possible exploit this enables, where would you look?
Status: Accepted
Comment #7 on issue 1962 by eri...@google.com: Cross-frame for-in is
From the discussion on the bugzilla bug thread, it looks likely that
Firefox's behavior is correct by ES6 and is simply the first browser to
implement the ES6 behavior here rather than the ES5 behavior. We need to
fix this on the Caja side. The easiest fix, if we decide it is safe, is to
whitelist cajaVM.anonIntrinsics.IteratorPrototype.next .
Does anyone see any problem whitelisting this? If you were going to look
for a possible exploit this enables, where would you look?
googl...@googlecode.com
Apr 13, 2015, 1:31:10 PM4/13/15
to google-ca...@googlegroups.com
Comment #8 on issue 1962 by kpr...@google.com: Cross-frame for-in is broken
FWIW, I haven't consulted the spec, but this _should_ be a purely local
operator (i.e. it mutates its arguments/this only) so it should be safe.
googl...@googlecode.com
Apr 13, 2015, 1:37:35 PM4/13/15
to google-ca...@googlegroups.com
Comment #9 on issue 1962 by eri...@google.com: Cross-frame for-in is
See the bugzilla thread. The spec is actually ambiguous and we've agreed to
tighten it up so it is safe for ES7 -- by making the .next used by the spec
be an own property of the unobservable iterator driving the iteration, and
so itself unobservable. It also sounds like FF will adopt this in its
implementation as well.
So SES only needs to change something (likely: whitelist .next) if
cross-frame for/in needs to work for current customer's before the FF fix.
Opinions?
googl...@googlecode.com
Apr 13, 2015, 1:54:15 PM4/13/15
to google-ca...@googlegroups.com
Comment #10 on issue 1962 by ma...@google.com: Cross-frame for-in is broken
As a user of Caja, I'm seeing more and more of our users running into this
issue. Would be wonderful to have a fix soon.
googl...@googlecode.com
Apr 13, 2015, 2:22:37 PM4/13/15
to google-ca...@googlegroups.com
Updates:
Status: Started
Comment #11 on issue 1962 by erights: Cross-frame for-in is broken on
Started: https://codereview.appspot.com/222570043/
Status: Started
Comment #11 on issue 1962 by erights: Cross-frame for-in is broken on
Started: https://codereview.appspot.com/222570043/
Reply all
Reply to author
Forward
0 new messages