V
VK
It is in continuation of my post at
http://groups.google.com/group/comp.lang.javascript/msg/33e97b0a9ce71503
"the old maskon and demaskonizing problems, see for instance my old
post from 2007:
http://groups.google.com/group/comp.lang.javascript/msg/65a858c19f383df0
Given a situation with a malicious script that shadows (maskonizes)
window.XMLHttpRequest with its own object that fully emulates the
native one plus sends copies of each data input to a 3rd party server.
Until the malicious library is fully removed from any wide use, out
emergency security patch has to ensure that each new XMLHttpRequest is
based on the default vendor's constructor and not on some 3rd party
runtime maskon. On detecting a maskonized environment the security
patch first tries to get the access to the real constructor; if it's
not possible on the given platform then warn the user and break the
code execution."
It seems to me it might be a very useful learning curb about Global,
window, their differences and their per platform peculiarities.
For people who are not aware about the maskon problem a little sample
to work with:
var _XHR_ = window.XMLHttpRequest;
window.XMLHttpRequest = function() {
// Return patched _XHR_
// or XHR emulation over hidden iframe
// or many other options, of course
// with maskons for all documented
// properties and methods of the real
// XHR for the given platforms.
// Here simply fooling the constructor
// behavior for the sake of brevity:
var maskon = new _XHR_;
maskon._take_the_red_pill_ = true;
return maskon;
}
var a = new window.XMLHttpRequest;
var b = new window.XMLHttpRequest;
window.alert(a); // XMLHttpRequest
window.alert(a == b); // false
window.alert(a._take_the_red_pill_); // true
</script>
P.S. Browser producers did their best to leave us as unprotected as
possible against of it, especially IE with its intentionally broken
[delete] functionality. Yet the remedy is possible and can be found -
but a better one might be suggested.
P.P.S. Back in 2007 some "regulars" suggested that red and other pills
shows my preoccupation with drugs... For the possible sorry beings who
did not seen the "Matrix" movie yet: "red pill" refers to the pill Neo
had to take to leave the virtual world for the real one.
http://groups.google.com/group/comp.lang.javascript/msg/33e97b0a9ce71503
"the old maskon and demaskonizing problems, see for instance my old
post from 2007:
http://groups.google.com/group/comp.lang.javascript/msg/65a858c19f383df0
Given a situation with a malicious script that shadows (maskonizes)
window.XMLHttpRequest with its own object that fully emulates the
native one plus sends copies of each data input to a 3rd party server.
Until the malicious library is fully removed from any wide use, out
emergency security patch has to ensure that each new XMLHttpRequest is
based on the default vendor's constructor and not on some 3rd party
runtime maskon. On detecting a maskonized environment the security
patch first tries to get the access to the real constructor; if it's
not possible on the given platform then warn the user and break the
code execution."
It seems to me it might be a very useful learning curb about Global,
window, their differences and their per platform peculiarities.
For people who are not aware about the maskon problem a little sample
to work with:
var _XHR_ = window.XMLHttpRequest;
window.XMLHttpRequest = function() {
// Return patched _XHR_
// or XHR emulation over hidden iframe
// or many other options, of course
// with maskons for all documented
// properties and methods of the real
// XHR for the given platforms.
// Here simply fooling the constructor
// behavior for the sake of brevity:
var maskon = new _XHR_;
maskon._take_the_red_pill_ = true;
return maskon;
}
var a = new window.XMLHttpRequest;
var b = new window.XMLHttpRequest;
window.alert(a); // XMLHttpRequest
window.alert(a == b); // false
window.alert(a._take_the_red_pill_); // true
</script>
P.S. Browser producers did their best to leave us as unprotected as
possible against of it, especially IE with its intentionally broken
[delete] functionality. Yet the remedy is possible and can be found -
but a better one might be suggested.
P.P.S. Back in 2007 some "regulars" suggested that red and other pills
shows my preoccupation with drugs... For the possible sorry beings who
did not seen the "Matrix" movie yet: "red pill" refers to the pill Neo
had to take to leave the virtual world for the real one.