| Sign in

A source-to-source translator for securing Javascript-based web content

Project Home		Downloads		Wiki		Issues		Source

Search

End-user's Guide

Integration Guide

Developer's Guide

Design Decisions

Releases

CajaVersions

Community

External articles about caja
Containers that use caja
Mailing lists
Ideas and feature requests

RefactoringToolFeatureRequests

Glossary of common terms
All wiki pages

Updated Feb 14, 2009 by jasvir
Labels:	Attack-Vector

DeleteUnmasksGlobals

`delete` defeats masking of globals via `with`

Delete can unmask globals

Effect

If a rewriter implementation relies on with blocks to mask global references, such as by iterating all global references, and then creating an object with a property for each, and defining all untrusted code inside a with statement, the untrusted code can escape containment using delete.

Background

The with construct takes an expression, and any reference R in its body not satisfied by an interior declaration is interpreted as obj[R] if (R in obj).

Assumptions

Globals are hidden by using the with construct; and
Either deletes of unqualified references are not prevented, or the masking object is aliased by this or some other reference that can have properties deleted from it.

Versions

Example

If the untrusted code

  delete document;
  alert('your cookie is ' + document.cookie);

is naively implemented as

  with ({ document: null }) {
    delete document;
    alert('your cookie is ' + document.cookie);
  }

Sign in to add a comment