New private names proposal
Mark S. Miller
erights at google.com
Thu Dec 23 07:52:09 PST 2010
On Thu, Dec 23, 2010 at 5:53 AM, Kevin Smith <khs4473 at gmail.com> wrote:
> If I might ask a side-question: what's the value in making an object
> non-extensible in ES5? I understand the value of making properties
> non-configurable or non-writable, but I don't yet see a reason to prevent
Hi Kevin, Allen also asked about this. Quoting from <
> Even if this style did become the norm, I don't see why you would argue in
>> support of mechanisms that allow extension of frozen objects. Isn't the
>> whole point of freezing to prevent any extensions.
> No. Let's distinguish two use cases. The point of shallow freezing is to
> create a "tamper proof object" (the phrase I've been using in talks). If x
> is a tamper proof object given to otherwise isolated subsystems A and B,
> then the only interactions between them enabled by giving them x are those
> that the author of x chooses to provide. This helps both security and
> modularity. As David-Sarah points out, only if the author of x is in control
> of what public interface they export can they know what changes they can
> make without breaking clients.
> Building on this, the point of transitive immutability is to create objects
> that can be safely shared between isolated subsystems without thereby giving
> them *any* means to interact. With out historic inability to freeze the
> primordials (Object.prototype, etc), our only isolation mechanism was the
> creation of separate frames. In the browser, separate same-origin frames by
> themselves provides no security benefit, but are increasingly used for their
> modularity benefit -- to ensure that various complex subsystems do not
> interfere with each other. Notice that the clone code, whether expressed
> using soft fields or private names, will not succeed at associating default
> behavior with objects from other frames. If same-origin frames grows as the
> best practice, we both lose.
> When we are able to freeze the primordials, and combined with our desire to
> remove the global object from the bottom of the scope chain, then we can
> arrange to bring separate subsystems into one frame without interference.
> Then the soft field clone works but the private names clone does not. The
> private names clone *only* works if we bring these all into one frame and
> (by not freezing the primordials) risk that these complex subsystems may
> destructively interfere with each other silently -- with no diagnostic.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss