How to ensure that your script runs first in a webpage

Mark S. Miller erights at
Fri Feb 3 08:12:45 PST 2012

On Fri, Feb 3, 2012 at 7:36 AM, John J Barton
<johnjbarton at>wrote:

> I'm not saying we can't do better, I am claiming that the impact of
> adding security features to the programming language is not (yet?)
> justified.

I must have missed something. What language change suggestions are you
reacting to?

ES5 already supports SES and ES6 will as well, probably somewhat better.
The "costs" were largely non-controversial and are behind us in any case.

>  There are better solutions based on iframes that do not
> require such large investments. In particular, systems like q-comm
> allow controlled API access between isolated JS environments.

I am (as you know) a big fan of q-comm and such Q libraries, as well as the
communicating event loop model where iframe/worker like units only interact
by asynchronous messages. These certainly have their place, and that place
is huge.

However, I *strongly* disagree that iframes are a better security mechanism
than the language-based mechanisms provided by SES. iframes are an unholy
mess, and *by design and specification* (both old and HTML5) cannot support
confinement. The best way to leverage the security that Q-like libraries
can provide is to see them as extending SES out onto the network.

We can talk more about this offline if you'd like.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list