Loading ...
Sorry, an error occurred while loading the content.

244Re: [caplet] Re: ADsafe and bind

Expand Messages
  • Kris Zyp
    Sep 8, 2008
    • 0 Attachment
      Of course the attack assumes that the host uses Prototype and also has an iframe on the
      page, but I imagine such cases aren't hard to find. There's also several other ways you can
      get window without even depending on Prototype:
      ([].slice || 0)(0)
      ([].sort || 0)()
      ([].forEach || 0)(function( a,b,win){ })

      So now you're in a tough situation. Do you blacklist all of those vectors? I see you're
      currently using mozilla() to handle concat, reverse, and sort but that approach won't work
      consistently on all sites. Additionally you run into the problem that by poking around at
      Array.prototype you break hosts that use for (var ii in arr); for array iteration under the
      assumption that Array.prototype contains only DontEnum properties.

      When does mozilla() not work to fix concat, reverse, sort, slice, and forEach? Is it when the host site also wants to fiddle with the prototypes (of course this could simply be documented to be unsafe)? Also, the mozilla() fix function replaces value in existing slots, it doesn't seem to affect the DontEnum property in the environments I quickly tried (nor break array enumeration). Is there are a particular environment where these replacements cause array enumeration breakage?
      Anyway, thanks for the help and information,
    • Show all 13 messages in this topic