Security and direct proxies (Was: Re: Lecture series on SES and capability-based security by Mark Miller)

Andreas Rossberg rossberg at google.com
Tue Nov 8 12:50:48 PST 2011


On 8 November 2011 20:46, Mark S. Miller <erights at google.com> wrote:
> In general, for an object to be defensive, much of the surface reachable
> from it by transitive prototype and reflective property traversal should
> usually be frozen, and at least non-extensible. This is possible to express
> in ES5
> <http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/startSES.js#623>,
> but inconvenient and expensive. That's why I have been advocating better
> defensive abstractions for ES6: "const functions", "const classes",
> "traitsjs" or its syntactic derivatives, etc.
> Nevertheless, I see your point. Many defensive ES5 abstractions will be less
> defensive than this. If I understand you correctly, your point is
> specifically about the [[Call]] and [[Construct]] traps.

Yes. Existing code has no reason to bother making functions
non-extensible if all it does is calling them. Proxy.attach
fundamentally breaks that (so far correct, AFAICT) assumption.

> Perhaps we should
> be more conservative here, without necessarily backing away from the whole
> Proxy.attach idea?

Disallowing attaching to functions with your own call/construct traps
would be the minimal restriction, I think. But maybe there is
something cleaner.

/Andreas


More information about the es-discuss mailing list