John Resig (of jQuery fame, now a Mozilla Corp. employee) lets us know that JSON leakage through Array constructor redefinition, one form of so called AJAX-hijacking working on Opera, Safari and Firefox, is going to be impossible on Firefox 3.
Starting with next Beta 2, in facts, most built-in global constructors (
Array, Boolean, Date, Math, Number, Object, RegExp, String
) will be constant: override attempts will raise an error.
This is obviously an incompatible change, even though the "broken" functionality shouldn't be something you rely upon in your everyday web application.
Anyway, if you find any regression, this is currently tracked under Bug 376957.
December 10th, 2007 at 11:01 pm
Somehow this really shocks me; browser developers doing something to try and improve security rather than saying "its not our fault"...
Looks like its going to be a cold night in hell...
December 26th, 2007 at 7:29 am
it's a shame this doesnt work:
function XML(){alert(123);}
aaa;
since that would mean.. hell? imagine, reading all XML/XHTML websites.. that would be awezomee
December 28th, 2007 at 5:30 am
just fyi..
the example I made was..
function XML(){alert(123);}
<x>aaa;</x>
hehe