1

According to the Caja paper:

Forbidden names. In Firefox, access to the "__proto__" property of an object would grant the authority to create more objects like it, which violates the principle of least authority. Therefore, Caja rejects all names ending with " __ " (double underscore). This also gives the Caja implementation a place to store its book- keeping information where it is invisible to the Caja programmer.

I tried in Firebug, just seeing all the methods __proto__ has(i.e., pkcsll, atob, btoa, screenX etc), but I don't see a copy-type method. How is __proto__ exploited?

4

2 回答 2

3

除非我没有听懂他们在说什么,否则您不需要__proto__从原始的相同原型创建更多对象。

您可以使用标准的 ecmascript 5 方法来做到这一点。

function FooBar() {}
FooBar.prototype.foo = function() { return "bar"; };

 /* create a FooBar object */
var fb1 = new FooBar();



 /* using __proto__ this creates an object with the same prototype as fb1 */    
var fb2 = {};
fb2.__proto__ = fb1.__proto__;



 /* and so does this, but without __proto__ */
var fb3 = Object.create(Object.getPrototypeOf(fb1));



fb1 instanceof FooBar; // true
fb2 instanceof FooBar; // true
fb3 instanceof FooBar; // true
于 2012-05-06T00:35:05.753 回答
2

我不会完全称其为漏洞利用,但在支持 的 JavaScript 引擎中__proto__,您可以通过以下方式创建与任何对象具有相同原型的对象,

function makeObjectLike(a) {
    function maker() { }
    maker.prototype = a.__proto__;
    return new maker();
}

你也可以使用 ES5Object.getPrototypeOf(a)而不是a.__proto__.

Caja 禁止事情不是因为它们本质上是坏的,而是因为如果您不信任您正在加载和运行的代码,它们可能会被用于作恶。在您自己的代码中使用这种技术就可以了(浏览器兼容性问题除外)。

于 2012-05-06T00:35:15.067 回答