Index Accessors Security Discussion #2
Comments
|
@natashenka we have been debating this problem and potential mitigation strategies during the SES weekly meeting. We plan to discuss it in more details next Thursday, it will be great if you can join us. /cc @erights |
|
Sure, let me know where and when and I'll see if I can make it. You can
email me at natashenka@google.com
|
|
@natashenka invited sent for next thursday. |
|
Do you have data for Firefox? I asked around and we don't think that indexed accessors are causing especially many security issues for us. I think I remember some issues with @@species, but I couldn't find the right bugs at this time. |
|
Additionally without indexed accessors, don't we still need to worry about proxies? |
|
I haven't found any, or seen any externally reported in Firefox, though I haven't taken a look in a while. There have been a few issues with Proxies, but index accessors cause more problems because they won't be detected by a type check. |
Array index accessors have led to many security issues (see: https://docs.google.com/presentation/d/11fkQeEisoszNGF8SrautVT1ltSnsQBWRxJ4usoc-g_o/edit#slide=id.g2b34aaab4a_1_0). Unfortunately, the usage metrics on those slides turned out to be measured incorrectly, real usage is here: https://www.chromestatus.com/metrics/feature/timeline/popularity/2238 . The usage is actually very high, almost 5% of all pages. Most of this usage is because jQuery uses this feature. I think there are a few options to lessen the security impact here, especially:
The text was updated successfully, but these errors were encountered: