ES3.1 questions and issues
Mark S. Miller
erights at google.com
Wed Mar 18 09:13:29 PDT 2009
On Tue, Mar 17, 2009 at 10:43 PM, Allen Wirfs-Brock
<Allen.Wirfs-Brock at microsoft.com> wrote:
> You're correct about map. It had previously used [[ThrowingPut]] rather than [[DefineOwnProperty]].
Actually, that's not the issue. Even when map did [[ThrowingPut]], it
was (and is) mutating the newly constructed array, not the object it
is iterating over. In the case of exceptional exit, the partially
constructed result becomes unreachable, and so is unobservable.
> Over specification of non-essential requirements is not necessarily beneficial.
Certainly. By definition. Bad things are bad. The questions are: how
much specification is "over" and which requirements are non-essential?
> Saying the result is unspecified is not open an invitation for
> implementation to expose the user's password or to do anything
> else that would not be normally part of one of these
> algorithms. No rational implementation is going to do
> something like that. "Unspecified" is more a warning to
> programmers that if an exception is thrown they should not
> depend upon the state of the involved objects
Conventional developers seek only functionality, and stay away from
edge conditions. Attackers seek opportunities in edge conditions. So
defenders must reason about the limits on the damage that might be
caused by these edge conditions.
Put another way, conventional developers must code to the intersection
semantics of the platforms in question, since a correct program must
work across all these platforms. Attackers can seek opportunities in
the union semantics, since an attack that works on any platform is
still a successful attack. More deterministic specs narrow the gap
between these two.
So, in attempting to reason about the security of Caja, ADsafe,
WebSandbox, FBJS2, or Jacaranda, we must find some precise
codification of your "No rational implementation is going to do
something like that" and pray that we got it right. If defenders and
implementers read slightly different things into your "something like
that", holes will happen. Better to codify this in the spec, as that's
what the spec is for: an agreed common understanding to serve as a
coordination point for implementers, developers, attackers, and
More information about the Es-discuss