Loading ...
Sorry, an error occurred while loading the content.

210Re: [Fwd: Re: ADsafe attack]

Expand Messages
  • David-Sarah Hopwood
    May 21, 2008
    • 0 Attachment
      Douglas Crockford wrote:
      > I don't trust a blacklist approach to guard dot, so that would mean
      > outlawing dot except in a few specific cases, which would make use of
      > the language close to unbearable.
      >
      > So instead, I will fix Firefox:
      >
      > Array.prototype.concat = function () {
      > var concat = Array.prototype.concat;
      > return function () {
      > if (this === window) {
      > throw {
      > name: "ADsafe",
      > message: "ADsafe violation."
      > };
      > }
      > return concat.apply(this, arguments);
      > };
      > }();

      I'm not convinced that it is sufficiently robust to just check for
      (this === window). This should work:

      function robustify(aType, methodName) {
      var proto = aType.prototype;
      var oldMethod = proto[methodName];

      if ({}.__proto__ !== undefined) {
      aType.prototype[methodName] = function () {
      if (this.__proto__ !== proto) {
      throw {name: "ADsafe", message: "ADsafe violation."};
      }
      return oldMethod.apply(this, arguments);
      };
      } else {
      proto._type___ = proto;
      if (Object.dontEnum !== undefined) {
      Object.dontEnum(proto, '_type___');
      }
      aType.prototype[methodName] = function () {
      if (this._type___ !== proto) {
      throw {name: "ADsafe", message: "ADsafe violation."};
      }
      return oldMethod.apply(this, arguments);
      };
      }
      }

      robustify(Array, 'concat');

      However, without having a way to enumerate all of the functions,
      including undocumented ones, defined on the prototypes of
      {Object,Function,Array,String,Boolean,Number,Math,Date,RegExp,*Error},
      you still risk missing one that could potentially leak 'this'.

      Any chance of an Object.__allKeys__(object) method, which ignores
      DontEnum, in ES3.1?

      --
      David-Sarah Hopwood
    • Show all 11 messages in this topic