How to ensure that your script runs first in a webpage
Mark S. Miller
erights at google.com
Fri Feb 3 08:12:45 PST 2012
On Fri, Feb 3, 2012 at 7:36 AM, John J Barton
<johnjbarton at johnjbarton.com>wrote:
[...]
> I'm not saying we can't do better, I am claiming that the impact of
> adding security features to the programming language is not (yet?)
> justified.
I must have missed something. What language change suggestions are you
reacting to?
ES5 already supports SES and ES6 will as well, probably somewhat better.
The "costs" were largely non-controversial and are behind us in any case.
> There are better solutions based on iframes that do not
> require such large investments. In particular, systems like q-comm
> allow controlled API access between isolated JS environments.
I am (as you know) a big fan of q-comm and such Q libraries, as well as the
communicating event loop model where iframe/worker like units only interact
by asynchronous messages. These certainly have their place, and that place
is huge.
However, I *strongly* disagree that iframes are a better security mechanism
than the language-based mechanisms provided by SES. iframes are an unholy
mess, and *by design and specification* (both old and HTML5) cannot support
confinement. The best way to leverage the security that Q-like libraries
can provide is to see them as extending SES out onto the network.
We can talk more about this offline if you'd like.
--
Cheers,
--MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120203/12d0b837/attachment.html>
More information about the es-discuss
mailing list