Open kumavis opened 2 months ago
Thank you for your input and suggestions. firewall-js wasn’t originally designed to protect against supply-chain attacks but rather to ensure that the application’s architecture is properly enforced. As you pointed out, it’s not difficult to circumvent access controls if malicious code is present anywhere in the application. I think using both firewall-js and ses together makes sense for enhanced security.
saw your work on hn enjoyed the article and discussion
i am a javascript language security researcher in your article you mentioned this playing a role in security
if this is true, please bare in mind that these security guarantees can be easily subverted in the following ways:
Error
intrinsic (overriding and preventing further overriding ofprepareStackTrace
) to provide inaccurate results to thecallsite
packageString.prototype.replace
intrinsic to always contain the attackers filepathif this sort of thing interests you, check out: