simple modules

ihab.awad at ihab.awad at
Mon Feb 1 13:48:23 PST 2010

On Mon, Feb 1, 2010 at 9:21 AM, Sam Tobin-Hochstadt <samth at> wrote:
> That's only the case if X, Y, and Z provide access to their internal
> state via the bindings they export.

The problem is not defending the integrity of X, Y and Z. The problem is this:

  import X as ...;
  import Y as ...;

  function f1() { /* operate on the authorities of 'X' */ }
  function f2() { /* operate on the authorities of 'Y' */ }

In this fashion, I cannot limit, via lexical scope, that f1 operates
on X but not Y, and that f2 operates on Y but not X.

> It has been my experience that most of the isolation needed between
> modules can be accomplished by lexical scope.

See above.

> ... if I import jQuery to add some simple bit of functionality to my homepage,
> I almost certainly want to give it access to all of the things I have access to.

"Giving <something> access to all of the things I have access to" is
_the_ problem that leads to excess authority, the separation of
designation from authorization assuming ambient authority, and
confused deputy vulnerabilities.

Put another way, in the following:

there is the goal:

  "Support a statically verifiable, object-capability secure subset."

How does your proposal subset down this way?


Ihab A.B. Awad, Palo Alto, CA

More information about the es-discuss mailing list