This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 29183 - Objects that implement an [Unforgeable] interface should have a non-configurable @@toPrimitive method
Summary: Objects that implement an [Unforgeable] interface should have a non-configura...
Status: RESOLVED FIXED
Alias: None
Product: WebAppsWG
Classification: Unclassified
Component: WebIDL (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Target Milestone: ---
Assignee: Cameron McCormack
QA Contact: public-webapps-bugzilla
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 29383
  Show dependency treegraph
 
Reported: 2015-10-07 20:06 UTC by Jason Orendorff
Modified: 2016-01-29 01:59 UTC (History)
5 users (show)

See Also:


Attachments

Description Jason Orendorff 2015-10-07 20:06:07 UTC
There's a platform security invariant is that `location + ""` must not be spoofable, but ES6 adds a new way to spoof ToPrimitive(obj): it now looks for a method obj[@@toPrimitive].

http://www.ecma-international.org/ecma-262/6.0/index.html#sec-toprimitive

So unless an innocuous @@toPrimitive method is defined as non-configurable and non-writable on the location object itself (not a prototype), `location + ""` can be spoofed by defining a custom @@toPrimitive method on it.
Comment 1 Allen Wirfs-Brock 2015-10-07 20:59:16 UTC
Note that it is sufficent to define a non-configurable, readonly own data property whose value is undefined
Comment 2 Boris Zbarsky 2015-10-14 13:12:57 UTC
Non-configurable, readonly data property with value undefined is what we're implementing in Gecko.
Comment 3 Anne 2016-01-29 01:59:26 UTC
Fixed in https://github.com/annevk/html-cross-origin-objects/issues/19. This will move out of IDL and by defined through prose since Location is the only object that needs this.