July 26, 2012 TC39 Meeting Notes
Tom Van Cutsem
tomvc.be at gmail.com
Fri Aug 3 01:03:26 PDT 2012
Thanks for clarifying the Racket design, Sam.
I like the proposed refactoring where David's proposed "isPrivateNameKnown"
property essentially becomes an extra argument to the Proxy constructor
(let's call it the "name whitelist").
I do agree with David on two points:
- if a name isn't on the name whitelist, the default should not be to
forward (this pierces membranes).
- if the name whitelist is to be an updatable (mutable) collection, it
should probably be a Set (or WeakSet?). Now, the proxy will need to do a
lookup of a private name on the whitelist, so you want to make sure that an
attacker cannot provide a whitelist that steals the name during lookup. Two
ways to achieve that:
1) require that the whitelist be a genuine built-in WeakMap instance.
2) don't turn the whitelist into an explicit collection, instead provide 2
built-ins: Proxy.enableName(proxy,name), Proxy.disableName(proxy,name) to
implicitly control the whitelist. This gives implementors a lot more
freedom in how they store/lookup known private names and sidesteps leaking
names through user-defined whitelists.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss