Closed Bug 695579 Opened 13 years ago Closed 11 years ago

E4X prototype not freezable

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: erights, Unassigned)

References

Details

> Object.freeze(Object.getPrototypeOf(<foo/>))
TypeError on line 1: can't change object's extensibility

For all other literals -- Object, Array, RegExp, Function -- their prototype is freezable on all browsers. This is important since, without parsing, there's no way to deny untrusted code the ability to instantiate these literals, and thereby to obtain access to the object they inherit from. (Since they are starting from literals, SES's scope games do not help.) 

By contrast to any of these, on FF currently, two pieces of untrusted code in the same frame that should be isolated from each other can use E4X literals to obtain undeniable shared access to the XML.prototype, and thereby to communicate and to leak capabilities.
Note that, if https://bugzilla.mozilla.org/show_bug.cgi?id=695577 is fixed, then this bug no longer matters.
See Also: → 695577
> Note that, if https://bugzilla.mozilla.org/show_bug.cgi?id=695577 is fixed,
> then this bug no longer matters.

Done.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.