Question

Well it s not some huge security risk, though it reveals some potential interference at least.

我们有这些非常封闭的Java文本模块,在不相互了解的情况下装上我的网页。他们来自“被委托”的,但是,一些校准者犯了错误,见《法典》。

setInterval(function(){
   alert( I am doing some important stuff );
}, 1000);

var i = setInterval(function(){}, 0);
for(; i >= 0; i-=1) {
    clearInterval(i);
}

<><>My Html

<script src="http://good.site/libs/the-famous-important-lib1.js" type="text/javascript"></script>
<script src="http://not-excelent.site/libs/the-cool-lib2.js" type="text/javascript"></script>

在一个浏览器或至少是在Laboading Lib2身上,实际上会完全打破Lib1。有些人可能说,这并不重要,如何sil弄错误。

我认为这是一种不良行为。由于我们在我们的网站上装上了更多的3个政党的校准。或许一个适当的解决办法是,set Interval和setout应当将奥杰布拉德归还为真正的独特和不可动摇的,而不是仅仅作为数字自动加固识别。

Someone might cam up with a real-world exploitation for this (still didn t test if it is cross frames, I doubt it really).

The question is: Is it? and Does strict mode in es5 overcomes that?

Answer 1

es5中的严格方式是否克服了?

编号Interval和settimeout是OMS约束的一部分——在任何版本的Ecma 印本中都未具体说明。严格的方式概不影响他们。

This will probably change in the next version of EcmaScript since the TC39 committee thinks that concurrency is a core language feature that needs to be specified and will probably retain event loop concurrency.

这些变化不大可能影响到你提出的问题。 Caja /security Ecma texts (SES) 确实能够确保间隔期和停产期不值得猜测。

Answer 2

Interesting point.

Since interval/timeout ids are sequential, you can (as you ve shown us) clear all intervals/timeouts by getting yourself next interval id, and than trying to clear any ids lower than one you got.

然而,我看不到那里存在的任何“安全”威胁。任何网络应用,其安全完全建立在瓦贾特的间隔和/或时间上,都好像是 any。

正如Sergio Tulentsev已经评论的那样——滥用明显间隔/清白将会打破——当然——但(99%的时间)得起,这对网络应用构成任何安全威胁。

友情链接