On 27.11.2015 13:16, Gervase Markham wrote: > On 26/11/15 17:13, Mike Hoye wrote: >> Stillman wrote some new code and put it through a process meant to catch >> problems in old code, and it passed. That's unfortunate, but does it >> really surprise anyone that security is an evolving process? That it >> might be be full of hard tradeoffs? There is a _huge_gap_ between "new >> code can defeat old security measures" and "therefore all the old >> security measures are useless". > > But the thing is, members of our security group are now piling into the > bug pointing out that trying to find malicious JS code by static code > review is literally _impossible_ (and perhaps hinting that they'd have > said so much earlier if someone had asked them). > > You can evolve your process all you like, but if something is > impossible, it's impossible. And not only that, but attempting it seems > to be causing significant collateral damage. >
We can detect obfuscation and disallow it, though. It's not "all is lost", but "impossible to be 100% exact, if we allow arbitrary JavaScript". I think we already disallow certain language features (e.g. eval?). _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform