Loading ...
Sorry, an error occurred while loading the content.

209[Fwd: Re: ADsafe attack]

Expand Messages
  • David-Sarah Hopwood
    May 21, 2008
      -------- Original Message --------
      From: Douglas Crockford <douglas@...>
      To: David-Sarah Hopwood <david.hopwood@...>
      Subject: Re: ADsafe attack

      David-Sarah Hopwood wrote:
      > Not just Array; all of the methods accessible in the public API. The
      > problem with that approach is that there may be methods that are not
      > standardized, and that are also not enumerable.

      The public API is the stuff that ADsafe allows. The ADSAFE object may
      contain any method that can leak. The ADsafe contract does not allow
      methods to the public objects that can leak. ADsafe does not allow
      the public
      objects to be used as values, so

      var o = Object;
      for (name in o) {

      is not allowed.

      It also includes anything that Firefox provides that ADsafe does not
      block. Does it have any more tricks?
    • Show all 11 messages in this topic