How to ensure that your script runs first in a webpage

Mark S. Miller erights at google.com
Fri Feb 3 08:12:45 PST 2012


On Fri, Feb 3, 2012 at 7:36 AM, John J Barton
<johnjbarton at johnjbarton.com>wrote:
[...]

> I'm not saying we can't do better, I am claiming that the impact of
> adding security features to the programming language is not (yet?)
> justified.


I must have missed something. What language change suggestions are you
reacting to?

ES5 already supports SES and ES6 will as well, probably somewhat better.
The "costs" were largely non-controversial and are behind us in any case.



>  There are better solutions based on iframes that do not
> require such large investments. In particular, systems like q-comm
> allow controlled API access between isolated JS environments.


I am (as you know) a big fan of q-comm and such Q libraries, as well as the
communicating event loop model where iframe/worker like units only interact
by asynchronous messages. These certainly have their place, and that place
is huge.

However, I *strongly* disagree that iframes are a better security mechanism
than the language-based mechanisms provided by SES. iframes are an unholy
mess, and *by design and specification* (both old and HTML5) cannot support
confinement. The best way to leverage the security that Q-like libraries
can provide is to see them as extending SES out onto the network.

We can talk more about this offline if you'd like.

-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120203/12d0b837/attachment.html>


More information about the es-discuss mailing list