On Wed, Nov 14, 2012 at 9:59 PM, Adam Barth <[email protected]> wrote:
> > On Nov 14, 2012 8:59 PM, "Ryosuke Niwa" <[email protected]> wrote: > > > > On Wed, Nov 14, 2012 at 8:52 PM, Elliott Sprehn <[email protected]> > wrote: > >> > >> I was present for one of the discussions about the exploit and how an > arena like allocator could have helped at Google. One proposed solution was > to allocate all the JS typed buffers in an arena. > >> > >> Is there a reason we can't just do that? It's much less intrusive to > allocate ArrayBuffer in an arena than to allocate all DOM objects in one. > > > > > > I don’t think allocating all JS objects in an arena is good enough > because attackers can inject nearly arbitrary sequence of bytes into DOM > objects (e.g. text node). > > The text for a text node is stored in a String, not in the Node object > itself. > Yeah, I guess text node was not a good example. Now that I think about it, we can probably get most of security benefits of using RenderArena for DOM if we can allocate all strings & js objects from arena. - R. Niwa.
_______________________________________________ webkit-dev mailing list [email protected] http://lists.webkit.org/mailman/listinfo/webkit-dev
