29183 – Objects that implement an [Unforgeable] interface should have a non-configurable @@toPrimitive method

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 29183 - Objects that implement an [Unforgeable] interface should have a non-configurable @@toPrimitive method

Summary: Objects that implement an [Unforgeable] interface should have a non-configura...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebAppsWG
Classification:	Unclassified
Component:	WebIDL (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal
Target Milestone:	---
Assignee:	Cameron McCormack
QA Contact:	public-webapps-bugzilla

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	29383
	Show dependency tree / graph

Reported:	2015-10-07 20:06 UTC by Jason Orendorff
Modified:	2016-01-29 01:59 UTC (History)
CC List:	5 users (show)

See Also:

Attachments

Description Jason Orendorff 2015-10-07 20:06:07 UTC

There's a platform security invariant is that `location + ""` must not be spoofable, but ES6 adds a new way to spoof ToPrimitive(obj): it now looks for a method obj[@@toPrimitive].

http://www.ecma-international.org/ecma-262/6.0/index.html#sec-toprimitive

So unless an innocuous @@toPrimitive method is defined as non-configurable and non-writable on the location object itself (not a prototype), `location + ""` can be spoofed by defining a custom @@toPrimitive method on it.

Comment 1 Allen Wirfs-Brock 2015-10-07 20:59:16 UTC

Note that it is sufficent to define a non-configurable, readonly own data property whose value is undefined

Comment 2 Boris Zbarsky 2015-10-14 13:12:57 UTC

Non-configurable, readonly data property with value undefined is what we're implementing in Gecko.

Comment 3 Anne 2016-01-29 01:59:26 UTC

Fixed in https://github.com/annevk/html-cross-origin-objects/issues/19. This will move out of IDL and by defined through prose since Location is the only object that needs this.