July 26, 2012 TC39 Meeting Notes

Tom Van Cutsem tomvc.be at gmail.com
Fri Aug 3 01:03:26 PDT 2012

Thanks for clarifying the Racket design, Sam.

I like the proposed refactoring where David's proposed "isPrivateNameKnown"
property essentially becomes an extra argument to the Proxy constructor
(let's call it the "name whitelist").

I do agree with David on two points:
- if a name isn't on the name whitelist, the default should not be to
forward (this pierces membranes).

- if the name whitelist is to be an updatable (mutable) collection, it
should probably be a Set (or WeakSet?). Now, the proxy will need to do a
lookup of a private name on the whitelist, so you want to make sure that an
attacker cannot provide a whitelist that steals the name during lookup. Two
ways to achieve that:
1) require that the whitelist be a genuine built-in WeakMap instance.
2) don't turn the whitelist into an explicit collection, instead provide 2
built-ins: Proxy.enableName(proxy,name), Proxy.disableName(proxy,name) to
implicitly control the whitelist. This gives implementors a lot more
freedom in how they store/lookup known private names and sidesteps leaking
names through user-defined whitelists.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120803/47a04278/attachment-0001.html>

More information about the es-discuss mailing list