Hi gaz, Thanks so much for your time.
Much care has been taking with this proposal to ensure that it is neutral with respect to the existing JS Object/Security model. As I understand it, the core vulnerability with JSON hacking is the ability to define getters on the Object prototype. Object.observe() does not affect that ability. In order to be notified of changes to an object, you need a reference to it first. E.g. Object.observe(Object.prototype, function doBadThings() { .. }); But if you were able to do this, you could have just as easily gone ahead and done bad things directly to the Object.prototype. Object.observe() doesn't increase your access. If there is something I'm missing, perhaps you can provide a code example of how the attack would work. On Fri, Aug 17, 2012 at 2:50 AM, gaz Heyes <gazhe...@gmail.com> wrote: > Hi Rafael > > Would this proposal work on the Object prototype? If so then it could be > used for JSON hijacking. I'd recommend it didn't. > > Cheers > > Gareth _______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss