[Webkit-unassigned] [Bug 159756] New: Object.prototype.__proto__ getter still provides access to WindowProxy

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=159756

            Bug ID: 159756
           Summary: Object.prototype.__proto__ getter still provides
                    access to WindowProxy
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: erights at gmail.com

Re https://bugs.webkit.org/show_bug.cgi?id=141865 , the underlying problem remains. At https://bugs.webkit.org/show_bug.cgi?id=141865#c11 I write:



The more interesting case is:

>>> (function(){'use strict'; var g = Object.getOwnPropertyDescriptor(Object.prototype, '__proto__').get; return g();})();

so that g is obtained from a local environment record rather than the global one. On this, FF Nightly 50.0a1 (2016-07-13) correctly throws

TypeError: get __proto__ method called on incompatible undefined

whereas Webkit Nightly 9.1.1 (11601.6.17, r203190) returns the WindowPrototype, which is just as dangerous as ever.


At https://bugs.webkit.org/show_bug.cgi?id=141865#c9 Brent asked me to open a new bug if this is still a problem. Hence this new bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160714/773f0fc6/attachment.html>