Anti-pollution in ES5 by static verification

David-Sarah Hopwood david-sarah at
Fri Dec 4 18:20:42 PST 2009

Mark Miller wrote:
>> Given that primordials (other than the global object) are transitively
>> frozen and that the above whitelist was adequately restrictive, each
>> call of a closed function is fully isolated -- its connectivity to the
>> world outside itself is fully under control of its caller. If the
>> module-function's caller denies access to the global object, the
>> indirect eval function, and to the Function constructor, then the
>> module cannot pollute non-local state.

Note that denying access to the Function constructor is nontrivial:

(function() {}).constructor === Function
// true

(Function.prototype.constructor can be deleted or modified, at least in
SpiderMonkey, but I don't know if that breaks stuff.)

This is why static subsets like ADsafe and Jacaranda have to blacklist
.constructor. I think most of the other stuff they blacklist no longer
needs to be blacklisted in ES5-strict, but I'm not absolutely sure of that.

David-Sarah Hopwood  ⚥

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the es-discuss mailing list