Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure Mode exposes 'window' as 'this' #247

Open
xsc opened this issue Mar 15, 2017 · 2 comments
Open

Secure Mode exposes 'window' as 'this' #247

xsc opened this issue Mar 15, 2017 · 2 comments
Labels
bug

Comments

@xsc
Copy link

xsc commented Mar 15, 2017

Within the KLIPSE boxes at the blog post announcing secure mode, it's still possible to run e.g. the following Javascript snippets, exposing things secure mode is trying to hide:

this.document
this.eval("1+2")

Even HTTP requests can be triggered:

var makeXhr = this.Function("return new XMLHttpRequest()");
var xhr = makeXhr.call(this);
...

All this is possible because this is bound to window.
@viebel
Copy link
Owner

viebel commented Mar 22, 2017

Thanks for the bug report.
I'm working on a fix.

@viebel viebel added the bug label Mar 22, 2017
@dmsnell dmsnell mentioned this issue Sep 25, 2019
Open
@workshub
Copy link

workshub bot commented Jan 1, 2021

@hgupta2363 started working on this issue via WorksHub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xsc @viebel