Open in app

Sign in

Write

Sign in

Why Building a Sandbox in Pure Javascript is a Fool’s Errand
144
4

d0nut

Han
1 min readJul 10, 2019

--

d0nut: Great post! First post I found mentioning this issue.

However, I’m finding that both of the following do work:

delete Object.getPrototypeOf(function*(){}).constructor;

and

Object.defineProperty(
  Object.getPrototypeOf(function*(){}),
  'constructor',
  { value: null });

Ditto for AsyncFunction (aka Object.prototypeOf(async function(){}).constructor).

Combined with ES5 Strict Mode (so that getting the global object isn’t as easy as (function(){return this}())), as far as I know this should fully prevent access to the global scope, right?

(As I mention in another comment, I agree with your overarching point that iframes and workers are much safer, but I think this is still valuable for defense-in-depth — plus, it’s fun!)

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Han
Han

Written by Han

16 Followers
14 Following

https://twitter.com/laughinghan

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams