Anti-pollution in ES5 by static verification (was: Addition of a global namespace function?)

Mark Miller erights at
Fri Dec 4 18:38:54 PST 2009

On Fri, Dec 4, 2009 at 6:23 PM, David-Sarah Hopwood
<david-sarah at> wrote:
> Mark Miller wrote:
>> On Fri, Dec 4, 2009 at 9:52 AM, Mark Miller <erights at> wrote:
>>>> Given that primordials (other than the global object) are transitively
>>>> frozen and that the above whitelist was adequately restrictive, each
>>>> call of a closed function is fully isolated -- its connectivity to the
>>>> world outside itself is fully under control of its caller. If the
>>>> module-function's caller denies access to the global object, the
>>>> indirect eval function, and to the Function constructor, then the
>>>> module cannot pollute non-local state.
>> Note that Function.prototype.constructor should either not be on the
>> whitelist (and should thereby be deleted), or it should be reassigned
>> to something safe during the initial clean-or-die phase. Otherwise
>> "(function(){}).constructor" would give access to the Function
>> constructor, allowing global pollution after all.
>> I cannot currently find in the ES5 spec whether a conforming
>> implementation may/must allow Function.prototype.constructor to be
>> deleted or reassigned.
> It must.
>> Where in the spec is this dealt with?
> Section 15,
> # In every case, the length property of a built-in Function object
> # described in this clause has the attributes [blah]. Every other
> # property described in this clause has the attributes
> # { [[Writable]]: true, [[Enumerable]]: false, [[Configurable]]: true }
> # unless otherwise specified.
> (was just looking it up :-)

Great. That's what I was hoping for. Thanks.

Goal 5 for ES-Harmony at
<>, as agreed at
a previous EcmaScript meeting, is "Support a statically verifiable,
object-capability secure subset.". At the time we agreed to that, we
didn't know whether we'd be able to achieve it. Hypothesis: Regarding
the formal properties of object-capabilities, practicalities aside, I
think the above plan shows that it can be achieved on ES5-strict with
a static verifier and a small clean-or-die startup script. An adequate
hermetic eval can be defined by this startup script as

  function hermeticEval(allegedClosedProgram) {
    return (1,eval)(verify(allegedClosedProgram));

Does this seem right?

> --
> David-Sarah Hopwood  ⚥
> _______________________________________________
> es-discuss mailing list
> es-discuss at

Text by me above is hereby placed in the public domain


More information about the es-discuss mailing list