Are Private name and Weak Map the same feature? and the Assoc API

Brendan Eich brendan at mozilla.com
Fri Dec 16 18:20:58 PST 2011


Thanks, Sam -- couldn't have said it better.

/be

----- Original Message -----
From: "Sam Tobin-Hochstadt" <samth at ccs.neu.edu>
To: "David Bruant" <bruant.d at gmail.com>
Cc: "Brendan Eich" <brendan at mozilla.com>, "es-discuss" <es-discuss at mozilla.org>
Sent: Friday, December 16, 2011 3:24:42 PM
Subject: Re: Are Private name and Weak Map the same feature? and the Assoc API

On Fri, Dec 16, 2011 at 6:09 PM, David Bruant <bruant.d at gmail.com> wrote:
>
>> Requiring you to care in order to avoid leaking private names is incredibly error-prone.
> So is requiring you to care in order to avoid leaking the public ->
> private map. It's no more, no less dangerous or error-prone.
> If I have to be careful about who I hand a reference to the public ->
> private dictionary, how is it more dangerous or error-prone to be
> careful about who you hand the private name to? It's the exact same work.
>
> I think the difference lies in the habit we have in ES5 that "o[n]"
> would not disclose a secret. Also, in ES5+private names "o[n]" does not
> disclose a secret. My impression is that '.public' in an attempt to
> preserve this property with proxies.
>
> I propose to take the other approach which is to accept that "o[n]" may
> disclose 'n' if 'o' is a proxy. I agree this is a big change in how we
> think objects.

I used to think this way about private names and proxies, and argued
for this position. However, I was wrong and it's a bad idea.  Here's
why:

You might want to implement an object with a private field and a
public method like this:

let o = (function () { let n = new Name(); return { [n]: 0; get:
function() { return this[n]; }}})();

But, if we don't censor private names in proxies, this abstraction leaks!

Consider:

let p = new Proxy(...);
o.get.call(p);

Now the name is leaked to the proxy.  And there's no way you can fix
this, without resorting to some other method of hiding things like
closures.

The problem you raise, that ocap-style security relies on not leaking
data *ever*, is, I think, a real one.  But it's one that this solution
for proxies *mitigates*, because almost all the time, you don't ever
want to care about keeping track of which names have which public
version, as in the example I gave.  You only need this is you want to
allow proxies to support your private name, which isn't the case for
every abstraction. But it is the case that without the censoring,
proxies break almost every abstraction built using private names.
-- 
sam th
samth at ccs.neu.edu


More information about the es-discuss mailing list