Mark S. Miller
erights at google.com
Wed May 6 10:53:20 PDT 2009
On Wed, May 6, 2009 at 10:11 AM, Brendan Eich <brendan at mozilla.com> wrote:
> Let's cut to the chase if we can. I don't buy the SES first, since it's not
> clear SES is usable but Web Sandbox and others like it are already in use.
For the record, other like it are indeed already in use (FBJS[2?] on
Facebook, Valija on YAP). AFAICT, WebSandbox itself isn't yet. This
isn't quite fair as we intend to borrow many of their good ideas.
We've been using Cajita enough internally at the Caja project, and it
is similar enough in flavor to E, that I am confident it is usable.
Yes, these scale of these is infinitesimal compared to historic ES
use. Based on the record to date, it is clear that full ES has *not*
been usable as a secure language.
And in any case, you started this subthread by asking "What do other
secure subsetters say?" SES is a subset. WebSandbox, Valija, and FBJS2
ideally aren't -- they are a virtualization/emulation of the "whole"
language (given a suitable definition of "whole" -- Valija will do
ES5-strict). These whole language emulations are not "secure", they
are only sandboxed. Since the language being emulated is not secure, a
faithful emulation of that language must preserve its insecurities.
Both the Cajita-like and Valija-like levels are important. For the
Cajita-like level, the remaining pressing issue beyond ES5 is the
whitelisting issue David-Sarah raises. For the Valija-like level, I
think the most important enabler would be some kind of hermetic eval
or spawn primitive for making a new global context (global object and
set of primordials) whose connection to the world outside itself is
under control of its spawner. With such a primitive, we would no
longer need to emulate inheritance and mutable globals per sandbox.
Catchalls are likely to be a relevant enabler at both the Cajita-like
and Valija-like levels. We can discuss both simultaneously if you
like, but I suggest we would have a clearer discussion if we take
these mostly in bottom up order.
More information about the es-discuss