0

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict_mode#Securing_JavaScript

See the section '"Securing" JavaScript' of that page.

What does it mean by exposing the global object in browsers? Isn't the global object the window itself? Is it not always exposed?

Before that they mention this

"Some websites now provide ways for users to write JavaScript which will be run by the website on behalf of other users. JavaScript in browsers can access the user's private information, so such JavaScript must be partially transformed before it is run, to censor access to forbidden functionality".

Is it something specific to those cases?

mplungjan
  • 169,008
  • 28
  • 173
  • 236
SRCP
  • 224
  • 2
  • 10
  • Please quote relevant passages here in your question, so we don't need to guess what exactly you're referring to on that page. – deceze Sep 17 '19 at 07:46
  • 1
    @deceze there *are* quotes specifically from the section on "Securing" and the question is about those. – VLAZ Sep 17 '19 at 07:46
  • @VLAZ Yes, but there's no quote about the global object part. – deceze Sep 17 '19 at 07:48
  • You don't have to guess. It literally says "but **exposing the global object in browsers** is a security hazard because the global object provides access to functionality that "secure" JavaScript environments must restrict" – SRCP Sep 17 '19 at 07:51
  • Monkeypatching window methods can expose information. That said, arbitrary code should probably *never* run in the same realm as one that private information is in - use a web worker or a sandboxed cross-domain iframe instead – CertainPerformance Sep 17 '19 at 07:59

0 Answers0