Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JavaScript completely "tamper safe" variables

So, here is the issue.

I have something like:

// Dangerous __hostObject that makes requests bypassing 
// the same-origin policy exposed from other code.
(function(){
    var danger = __hostObject;
})();
delete __hostOBject;

Am I perfectly safe knowing no script can tamper or access __hostObject?

( If they can, I have an CSRF vulnerability or worse. )

Note 1: This is for a browser extension. I have better hooks than other scripts running on the page. I execute before them and I'm done before they've even loaded.

Note 2: I know this has been asked multiple times for scripts in general. I'm wondering if it's possible if I know I load before any other scripts.

like image 287
Benjamin Gruenbaum Avatar asked Dec 15 '13 11:12

Benjamin Gruenbaum


1 Answers

Provided that the __hostObject is deletable, the code in your question is safe.

However, I assume that your real code is slightly more complicated. In that case, very careful coding is required, because the page can change built-in methods (e.g. Function.prototype.call) to get into your closure and do whatever evil things they want. I had successfully abused functionality of extension frameworks such as Kango and Crossrider via this method when I performed such a test.

like image 163
Rob W Avatar answered Oct 17 '22 01:10

Rob W