Making WeakMap security not depending on HIDDEN_NAME being neither unguessable nor undiscoverable #19
Description
In this patch:
* I define LeakyWeakMaps (implemented with a key/value arrays pair)
* I replace the 2 key/values array pairs (hidden record and leaky weakmap for
non-extensible objects) by LeakyWeakMaps
A natural consequence for hidden records is that the API they expose is the one
of a weak map. If an attacker comes to know HIDDEN_NAME, the authority she's
granted (with an object 'o' having HIDDEN_NAME as property) is equivalent to
having access to a weakmap which keys are weakmaps using o as key.
Consequently, unless an attacker knows already some weakmaps that use o as key,
she cannot do anything useful. In case she does know some of thee weakmaps, she
cannot do anything more than what she can do with the WeakMap.protoype API, so
no additional authority is granted.
So, knowing HIDDEN_NAME does not provide more authority than not knowing it.
Original issue reported on code.google.com by bruan...@gmail.com on 14 Jan 2012 at 11:44
Attachments: