proposed relationships of Secure EcmaScript, ES3.1, and ES4.
brendan at mozilla.org
Thu Feb 21 10:29:00 PST 2008
On Feb 20, 2008, at 10:48 PM, Mark Miller wrote:
> On Wed, Feb 20, 2008 at 7:35 PM, Brendan Eich <brendan at mozilla.org>
>> Now we could say something about the outer language and the kinds of
>> objects that could be injected. But now the secure dialect in the
>> sandbox is spreading its reference monitor or capability system into
>> the outer language, and that outer language can't be ES3, therefore
>> it can't be ES4-in-full (which is a superset of ES3, modulo de-facto
>> standards fixes).
> I do not understand this comment, and it seems crucial that I do. Can
> you please expand? Thanks.
I'll be concrete and talk about GreaseMonkey. A GM user script is
evaluated in a sandbox, but privileged outer code first injects
certain methods into the sandbox. Those functions delegate to their
prototype for certain properties, notably Function.prototype.apply/
call and the constructor property.
If a GM user script must now be written in a secure dialect, is it
sufficient to ban all writes to computed property names, and to
literal names not on the whitelist?
More information about the Es4-discuss