proposed relationships of Secure EcmaScript, ES3.1, and ES4.

Brendan Eich brendan at
Thu Feb 21 10:29:00 PST 2008

On Feb 20, 2008, at 10:48 PM, Mark Miller wrote:

> On Wed, Feb 20, 2008 at 7:35 PM, Brendan Eich <brendan at>  
> wrote:
>>  Now we could say something about the outer language and the kinds of
>>  objects that could be injected. But now the secure dialect in the
>>  sandbox is spreading its reference monitor or capability system into
>>  the outer language, and that outer language can't be ES3, therefore
>>  it can't be ES4-in-full (which is a superset of ES3, modulo de-facto
>>  standards fixes).
> I do not understand this comment, and it seems crucial that I do. Can
> you please expand? Thanks.

I'll be concrete and talk about GreaseMonkey. A GM user script is  
evaluated in a sandbox, but privileged outer code first injects  
certain methods into the sandbox. Those functions delegate to their  
prototype for certain properties, notably Function.prototype.apply/ 
call and the constructor property.

If a GM user script must now be written in a secure dialect, is it  
sufficient to ban all writes to computed property names, and to  
literal names not on the whitelist?


More information about the Es4-discuss mailing list