[Webkit-unassigned] [Bug 29193] [chromium] Prevent JavaScript busy-loops in unload handlers

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 16 16:12:51 PDT 2009


https://bugs.webkit.org/show_bug.cgi?id=29193





--- Comment #31 from Adam Barth <abarth at webkit.org>  2009-09-16 16:12:50 PDT ---
(In reply to comment #30)
> More interesting to me is the question of whether there is any possible harm to
> authors due to your comment 6 or comment 8 (although it sounds like perhaps
> comment 8 is a nonissue since authors can't actually get at this?).

It depends what you mean by harm to authors.  I don't think anyone is going to
suffer any monetary loss because the toString of a function magically changes
at some odd time.  On the outer hand, the web platform would be even more
insane if we did that all the time.

W.r.t. other technical issues with the patch, the use of the |this| keyword is
quite dangerous to secure JavaScript subsets like ADsafe or Caja because |this|
can point to the global object.  They take great care to dance around the uses
of |this| in the JS implementation in Firefox.  Adding |this| to this
super-obscure corner case is like hiding a land mine in your corn field:
eventually it will blow your legs off.

As for leaking the terminateScript capability, I don't have a good sense of
what evil things a page could do with that.  I'd rather not have to worry about
those issue.

> Ideally
> the patch would be one which doesn't have any harmful side effects.  That is my
> greatest concern.

The reason we have to worry about this stuff is because the patch is written at
the wrong layer of abstraction.  It's the same reason we could steal all the
user's passwords from 6 of 6 password managers built out of (essentially) the
evalJavaScript IPC message: 
http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf

To do this right, you need to be inside the engine, not splicing loaded guns
into a potentially malicious environment.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list