Closed
Bug 695579
Opened 13 years ago
Closed 11 years ago
E4X prototype not freezable
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: erights, Unassigned)
References
Details
> Object.freeze(Object.getPrototypeOf(<foo/>))
TypeError on line 1: can't change object's extensibility
For all other literals -- Object, Array, RegExp, Function -- their prototype is freezable on all browsers. This is important since, without parsing, there's no way to deny untrusted code the ability to instantiate these literals, and thereby to obtain access to the object they inherit from. (Since they are starting from literals, SES's scope games do not help.)
By contrast to any of these, on FF currently, two pieces of untrusted code in the same frame that should be isolated from each other can use E4X literals to obtain undeniable shared access to the XML.prototype, and thereby to communicate and to leak capabilities.
Reporter | ||
Comment 1•13 years ago
|
||
Note that, if https://bugzilla.mozilla.org/show_bug.cgi?id=695577 is fixed, then this bug no longer matters.
Comment 2•11 years ago
|
||
> Note that, if https://bugzilla.mozilla.org/show_bug.cgi?id=695577 is fixed,
> then this bug no longer matters.
Done.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•