New issue
Advanced search Search tips

Issue 624713 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Calling from WASM to JS should not pass the global object

Project Member Reported by titzer@chromium.org, Jun 30 2016

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: 51+

REPRODUCTION CASE
Calls to JavaScript functions from WASM pass the global object as the receiver. Instead such calls should use the CallFunctionStub which should swap out the global object with the global proxy or undefined.

 
Are the semantics already spec'ed or can we just always pass undefined?

Comment 2 by titzer@chromium.org, Jun 30 2016

The semantics aren't spec'ed yet, but probably likely that we'll want the same effect as if calling "foo()" without a receiver in JS; so that means receiver conversion.

Comment 4 by titzer@chromium.org, Jun 30 2016

Status: Fixed (was: Unconfirmed)
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 30 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Security_Impact-Head
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 6 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment