| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by tixzdk 3470 days ago
	I think the article gets this wrong. `window.crypto` should be read-only

2 comments

ifelsehow 3470 days ago

I find the following in Chrome:

> window.crypto.getRandomValues

// getRandomValues() { [native code] }

> window.crypto.getRandomValues = function () { return "aloha" }

> window.crypto.getRandomValues()

// "aloha"

Not sure if this is the case in all browsers. `window.crypto` certainly should be read-only.

link

niftich 3470 days ago

In Chrome, window.crypto is read-only:

> window.crypto

< Crypto {subtle: SubtleCrypto}

> window.crypto = "hi!"

< "hi!"

> window.crypto

< Crypto {subtle: SubtleCrypto}

But not anything underneath, including getRandomValues(), as you write. A recent issue about this [1] on the WebCrypto spec itself was closed with 'wontfix' because in their view, polyfilling web APIs is a common and accepted practice.

[1] https://github.com/w3c/webcrypto/issues/107

link

flukus 3470 days ago

Shouldn't all pollyfills check only override the functions if they're missing?

link

jsjohnst 3470 days ago

What if it's present but the implementation is incomplete?

link

paulddraper 3469 days ago

E.g. an extra optional parameter.

link

rmrfrmrf 3470 days ago

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25345

It looks like they intentionally don't do that in order to prevent the illusion of security.

link