document.all seems leaked directly to the iframe #76

mmis1000 · 2020-03-15T17:22:18Z

Because document.all == null

https://github.com/caridy/secure-javascript-environment/blob/6032355e5d26f70effa7cdb3cf6db2e051d81c54/src/secure-value.ts#L111

This line is incorrect because it will include document.all

The text was updated successfully, but these errors were encountered:

caridy · 2020-03-16T04:43:23Z

Oh wow, that’s unexpected:

document.all == null
> true
document.all.length
> 1352

I wonder why, and what other APIs are implementing a similar magical behavior.

As for the fix, it should be an easy one.

fixes #76: document.all == null breaks the membrane for valid targets

caridy · 2020-03-18T01:58:06Z

once again @mmis1000, thanks for the help here, you rock!

caridy added a commit that referenced this issue Mar 16, 2020

fixes #76: document.all == null breaks the membrane for valid targets

3a3212c

caridy mentioned this issue Mar 16, 2020

fixes #76: document.all == null breaks the membrane for valid targets #77

Merged

1 task

caridy closed this as completed in #77 Mar 17, 2020

caridy added a commit that referenced this issue Mar 17, 2020

Merge pull request #77 from caridy/caridy/issue-76

ca2349f

fixes #76: document.all == null breaks the membrane for valid targets

caridy mentioned this issue Mar 21, 2020

document.all is not virtualizable tc39/proposal-preserve-virtualizability#2

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

document.all seems leaked directly to the iframe #76

document.all seems leaked directly to the iframe #76

mmis1000 commented Mar 15, 2020 •

edited

Loading

caridy commented Mar 16, 2020

caridy commented Mar 18, 2020

document.all seems leaked directly to the iframe #76

document.all seems leaked directly to the iframe #76

Comments

mmis1000 commented Mar 15, 2020 • edited Loading

caridy commented Mar 16, 2020

caridy commented Mar 18, 2020

mmis1000 commented Mar 15, 2020 •

edited

Loading