Experimental implementation of Object.observe & JS Utility library now available

David Bruant bruant.d at gmail.com
Sun Aug 19 07:22:51 PDT 2012


Le 19/08/2012 09:40, Andrea Giammarchi a écrit :
> The Object owner is a bit inconsistent concept in JS + DOM world.
No and yes, but no when one is careful.

The piece of code that creates an object can be considered as its owner.
If some code accesses an object only if it's given a reference to it,
then, anything this code can't touch isn't owned. The other way, if
you're granted a reference to an object, it's original owner has shared
it with you and now, it can be considered that you co-own it.
Languages like C++ really can't have a notion of object ownership since
casting an integer to a pointer enables to point to anywhere, even to
places you don't have explicitely been shared ownership over.
ECMAScript 5 strict mode can have a consistent notion of "object
ownership" (ES5 non-strict with its scope-invasive indirect eval cannot
really). That the "no" part of my answer.
ES.next brings in proxies which allow one to share ownership to an
object, but under control over what can be done to the object as well as
enable to share only for a limited amount of time.

However, current browsers and the DOM have this property that any script
running in an HTML page have access to the document object by using the
"document" variable. Since no script has created this object, none
really owns it. It's just shared by every script in the page. Some call
that "ambient authority". That the "yes" part of my answer.

The last piece of my answer can be achieved with CSP. With CSP, you can
define which script is allowed to run on your page. The initial
(trusted) scripts run and can decide which other script runs under which
condition.
For example, you can decide to run untrusted scripts within a controlled
lexical environment.

Let's say your script is inlined in an HTML page in an script element
with id "bla"
> document.body.innerHTML = '<div><a hraf="#">link</a></div>';
It doesn't run thanks to CSP, but if you want to run it safely, you can
go for:

    var $ = document.querySelector;
    var o = {
        document: {
            body: $('#someDiv')
        }
    }
    var commentScript = $('#bla').textContent;
    with(o){
        eval(commentScript)
    }

When the untrusted script runs, it doesn't have access to the actual
document, but just a div. This is an over-simplified example, for the
longer and more rigourous version, checkout the Caja project. Module
loader will make all of this even easier and less hacky.

In that case with the help of CSP, the untrusted script doesn't have
access to the document. With the help of CSP, the only allowed scripts
can be considered as initial owners of all "ambient authority". It then
becomes their choice to share what they own with other scripts.

>
> is a very basic example ...
>
>  1. was the user owning the document.body ? I don't think so, body is
>     created in any case even if not specified in the markup
>
Everyone owns it. Unless with CSP and lexical confinment.

>  1. was the user able to set mutation event on that element? well,
>     yes, even without ownership
>
Yes, because everyone owns it in the naive case. No if CSP and lexical
confinment is used.
>
>  1. is the user the owner of that link? I don't think so, the DOM is
>     the owner, not the user, who simply relies the fact Mr DOM will
>     create an object for him
>
Same answer as above. Everyone owns the link in the naive case, only
trusted folks in the careful case.
>
>  1. is anyone else able to observe mutation of any element? Yes,
>     'cause there's no way for a user to mark a DOM node as his/her own
>
Same answer as above.

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120819/05ad909f/attachment.html>


More information about the es-discuss mailing list