On Fri, Jun 8, 2012 at 6:48 PM, Erik Arvidsson <erik.arvids...@gmail.com> wrote: > On Fri, Jun 8, 2012 at 4:10 PM, Charles Kendrick <char...@isomorphic.com> > wrote: >>> Once again, exposing the actual arguments, receiver and function >>> object references is a security issue and completely out of scope for >>> this. This is not related to cross domain access but related to object >>> capabilities. >> >> Erik how do you reconcile this with the fact that this information can >> already be obtained in most production browsers via stack walking? > > Stack walking is not available in strict functions.
Interesting, but it doesn't speak against programmatic access to the call stack. If "use strict" or any other security feature means that function.arguments are not accessible to a given script, then the same constraint could be trivially enforced with programmatic access to the call stack. The same could be applied to access to the receiver or values of local variables. In fact, V8's CallSite API makes the receiver inaccessible for a strict mode function (I just checked). _______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
