simple modules
ihab.awad at gmail.com
ihab.awad at gmail.com
Mon Feb 1 13:48:23 PST 2010
On Mon, Feb 1, 2010 at 9:21 AM, Sam Tobin-Hochstadt <samth at ccs.neu.edu> wrote:
> That's only the case if X, Y, and Z provide access to their internal
> state via the bindings they export.
The problem is not defending the integrity of X, Y and Z. The problem is this:
import X as ...;
import Y as ...;
function f1() { /* operate on the authorities of 'X' */ }
function f2() { /* operate on the authorities of 'Y' */ }
In this fashion, I cannot limit, via lexical scope, that f1 operates
on X but not Y, and that f2 operates on Y but not X.
> It has been my experience that most of the isolation needed between
> modules can be accomplished by lexical scope.
See above.
> ... if I import jQuery to add some simple bit of functionality to my homepage,
> I almost certainly want to give it access to all of the things I have access to.
"Giving <something> access to all of the things I have access to" is
_the_ problem that leads to excess authority, the separation of
designation from authorization assuming ambient authority, and
confused deputy vulnerabilities.
Put another way, in the following:
http://wiki.ecmascript.org/doku.php?id=harmony:harmony
there is the goal:
"Support a statically verifiable, object-capability secure subset."
How does your proposal subset down this way?
Ihab
--
Ihab A.B. Awad, Palo Alto, CA
More information about the es-discuss
mailing list