Are Private name and Weak Map the same feature? and the Assoc API

David Bruant bruant.d at
Fri Dec 16 12:17:39 PST 2011

Le 16/12/2011 20:58, Brendan Eich a écrit :
> From: "David Bruant" <bruant.d at>
>> Let's say we have two attenuators (proxies which reduce your authority over a given object) constructors we'd like to compose: makeAttenuated1 and makeAttenuated2 
>> ----- 
>> // assuming we have an object 'o' and a private name 'p' 
>> var aao = makeAttenuated2(makeAttenuated1(o)); 
>> aao[p] = 37; 
>> ----- 
>> The 'set' trap of the attenuator2 is called with p.public as name. Then, this attenuator cannot pass p.public to the attenuator1 proxy as a name since p.public is not a name object 
> That's right. Only if the first attenuator is introduced to the private name, or otherwise has access (from birth), in an objcap-safe way, can it tell that p.public corresponds uniquely to p. If it wishes, it can then substitute p for p.public before forwarding to attenuator2.
So, to summurize:
** if I trust a proxy, I share a:
1) name.public
2) a correspondance dictionary
** if I don't trust a proxy, I share:
1) name.public

name.public is public so there is no issue, but we've just shared
name.public with the entire planet. What about just getting rid of the
It would work as follow:
* if I trust a proxy, I share:
1) the private name
* if I don't trust a proxy, I share:
0) nothing!

"When proxy traps are invoked for a private name, they receive the
name’s |.public| property instead of the name itself. *This prevents
unintended leakage of the private name*, but still identifies the name
to code that already has access to it."
=> And what will save me from unintended leakage of the correspondance
(since that's the actual secret unsealer)

... or maybe we can add a public part of the dictionary and create
another dictionary that will do the (public dictionary)->(private
dictionary) correspondance? ;-)

I'm not an expert in objcap, but from all what I've read, it seems to
rely on the rule "if you have it, do whatever you want with it", which
forces the programmer to have a strong hygiene on what she shares, on
what authority she leaves to other (potentially untrusted) parties.
We can have long discussions about the probability of leaking a private
name or a correspondance dictionary but I think we will have left the
realm of object capabilities which is not about probabilities from what
I have read.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list