471,593 Members | 1,679 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,593 software developers and data experts.

Is a closure's scope accessible by untrusted code?

Is the scope of a closure accessible after it's been created? Is it
safe against XSS to use closures to store "private" auth tokens? In
particular, in...
function closure(token) {
return function () {
// code which uses token to authenticate
}
}

foo = closure(secret);
delete secret;

// untrusted code
....can untrusted code access 'secret', or only the code inside foo?

- Andrey
Oct 24 '08 #1
2 1693
On Oct 24, 1:57 pm, Andrey Fedorov wrote:
Is the scope of a closure accessible after it's been created?
The scope is handled internally by the implementation; you probably
mean 'are the objects on the scope chain accessible after it has been
created', or at least those not added to a scope chain with a - with -
statement or the global object (the latter always being accessible).
In pure ECMAScript terms the answer is no. However, in javascript
terms the answer would be 'don't rely on that', as implementations
have provided mechanisms for setting/re-establishing scopes for
function calls. See:-

<URL: http://peter.michaux.ca/article/8069 >
Is it safe against XSS to use closures to store "private"
auth tokens?
Almost certainly not. Not necessarily for any reasons related to
closures but rather questions like how these "auth tokens" got to the
javascript code without being exposed. (If they are in the page source
or the source of an (even dynamically generated) JS file how can you
be certain that the text cannot be retrieved from the DOM, and if XML
HTTP requested how can you be certain that the XSS script did not wrap
the XML HTTP request object, etc.?)
In particular, in...
>function closure(token) {
return function () {
// code which uses token to authenticate
}
}
>foo = closure(secret);
delete secret;
>// untrusted code

...can untrusted code access 'secret', or only the code inside foo?
Even if it cannot does it need to? The - foo - value is exposed and
can be modified, and its source code extracted to form the basis for
that modification.

Richard.
Oct 24 '08 #2
Thanks for the thorough response -
how can you be certain that the XSS script did not wrap
the XML HTTP request object
By making sure all user-submitted data are rendered only after the
closures which use auth-token have been created.

Thanks also for the link to Peter's blog, I was looking for that - the
issue appears to have been closed in in FF >= 3.1. I agree that this
isn't a solid solution, but might provide at least somewhat of a
barrier against some attacks.

Cheers,
Andrey
Oct 27 '08 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by Dave Benjamin | last post: by
27 posts views Thread by Ted Lilley | last post: by
7 posts views Thread by Csaba Gabor | last post: by
11 posts views Thread by Huayang Xia | last post: by
4 posts views Thread by LAN MIND | last post: by
2 posts views Thread by jman | last post: by
4 posts views Thread by JavascriptProgrammer | last post: by
reply views Thread by XIAOLAOHU | last post: by
reply views Thread by Anwar ali | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.