开发者

Why is __caller__ unsafe?

The following seems to be a reasonable use of __caller__:

var foo=1;
function a() {
    var foo=2;
    function b() {
        var foo=3;
        foo; // 3
        this.foo; // 1, from global
        __caller__.foo // 2
    }
    b();
}
a(); // creates a's execution context

However, __开发者_StackOverflow社区caller__ is not available. Why not? If the global context/variable object can be accessed using this, then why not a's?


Doc says:

The special property __caller__, which returned the activation object of the caller thus allowing to reconstruct the stack, was removed for security reasons.

And it is easy to see why this could be a security disaster in a browser where much of the UI is implemented in JavaScript. Imagine having one of your functions called by an add-on or other chrome. You could look up the call stack and read callers' (potentially sensitive) variables, or even inject JavaScript values into caller functions, potentially subverting them to do something against the user's wishes. Effectively every web page would get chrome security privileges and completely compromise the browser.

You certainly should never have used it in real JavaScript, because it was a non-standard Mozilla-only implementation detail, not to mention incredibly ugly. It does not have the lexical behaviour you normally expect of JS.


I am not really familiar with the subject, but have you tried arguments.callee.caller?

See here: Javascript how do you find the caller function?


In your example, you can argue that things in b should be able to address things in the active instance of a, and it seems reasonable because a encloses b. But if that weren't the case, say you define

    function c() {
        var foo='hedgehog';
        b();
    }

that's something else entirely, so your argument looks like it applies to a pretty special case.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜