Also, I expect the entire object tree under "window.crypto" to be non-configurable and non-writable - i.e. "frozen".

Adding 'Needs-Milestone' label, TE will check the issue and update the bug with comments & tag with respective Mstone

@srikumarks -- Thank You for the report.
Navigated to the html file and observed the text, "crypto's been pwned!"

The same behavior is being seen on Firefox also.
Could you please re-check again and provide us the update.
Thanks in Advance.

Yes it is the same behaviour in Firefox too!

For the record, the WebCryptoAPI specification (https://www.w3.org/TR/WebCryptoAPI/) does not seem to say anything specific about the attributes of window.crypto. While that would make the current implementation conformant, it certainly isn't safe for it to be configurable if web devs are expected to be able to trust it.

Thank you for providing more feedback. Adding requester "msrchandra@chromium.org" for another review and adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Could some one from Security team please look into the issue and update.
Thanks in Advance.

Able to reproduce the issue on the latest canary(57.0.2984.0) on Windows-10, Mac OS 10.12.2 and Linux Ubuntu 14.04. This is working the same on Firefox and IE. 

This changed behavior on Chrome in M-51.

Last good build: 51.0.2680.0
First bad build: 51.0.2681.0

Changelog: https://chromium.googlesource.com/chromium/src/+log/342f187bb5ba4f9ec5e7f0ea4018f54b682922da..607c6e18aae50211a534f964ebfdac47cdbf21be

Yuki@: Could this be related to https://codereview.chromium.org/1667653002

+domenic@, do you have any advice on this issue?

The current behavior is by-design and, as the reporter wrote in #7, the current implementation is conformant to the current spec.  From this point of view, there is no problem.

It's possible that the current spec is not secure and needs a fix, but I'm not sure.  Given that you can run arbitrary script on the window (e.g. defineProperty), you can do anything in general not limited to window.crypto.  If you're running a harmful script, it's too late.  IMHO, making window.crypto unconfigurable doesn't help much.  If the script were harmful, then that script can rewrite a whole page to do phishing for example.

re: #10, my CL is not relevant and it's working fine by design.  We can technically make window.crypto unconfigurable with one-line-change, but I don't think we need to do so so far.

Yes, we should close this as working as intended.

This is the wrong level at which to solve the problem. If people are running arbitrary script inside your web page, then you are already irretrievably insecure. You need to mitigate that through measures such as HTTPS, CSP (nonces etc.), and so on.

The proper forum for this discussion is the web crypto spec repository, but I can guarantee they will give you the same answers.

Understand. I've noted this as an issue in that repo - https://github.com/w3c/webcrypto/issues/169

Scripts can also run via browser extensions.