Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use a reference to
Array#concat
rather than relying on the runtime …
…environment's `concat`.
- Loading branch information
Showing
1 changed file
with
3 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8ce6832
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool, thanks for making the library a little more robust against unexpected prototype overrides
8ce6832
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea, however obviously this only works if the shims are evaluated before any malicious/careless code is evaluated.
8ce6832
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, I am thinking the websites can control this a little. I see this typical order
8ce6832
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's clear in JavaScript that only the first-run script can have any guarantees about security - this is the TC39 committee's position on it, as well.
That loading order is exactly what should be used imo :-)
8ce6832
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made https://github.com/bahmutov/freeze-prototypes to add precautions after loading trusted libraries and before loading any of the custom application / 3rd party code
8ce6832
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's definitely nice and simple. But for security, how is that better than using Caja/SES?
8ce6832
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Caja has so many issues, I am worried about its quality https://github.com/google/caja/issues
8ce6832
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issues is an indication of success :-) no issues is an indication that the bugs just haven't been found yet.
Core Caja contributors are on the TC39 committee, and definitely know their stuff. I trust it very much.