How to ensure that your script runs first in a webpage

John J Barton johnjbarton at johnjbarton.com
Fri Feb 3 08:54:08 PST 2012


On Fri, Feb 3, 2012 at 8:12 AM, Mark S. Miller <erights at google.com> wrote:
> On Fri, Feb 3, 2012 at 7:36 AM, John J Barton <johnjbarton at johnjbarton.com>
> wrote:
> [...]
>>
>> I'm not saying we can't do better, I am claiming that the impact of
>> adding security features to the programming language is not (yet?)
>> justified.
>
>
> I must have missed something. What language change suggestions are you
> reacting to?
>
> ES5 already supports SES and ES6 will as well, probably somewhat better. The
> "costs" were largely non-controversial and are behind us in any case.
>

Well David seems to be building up to something, so I wanted to get
some controversy out in front.

>>
>>  There are better solutions based on iframes that do not
>> require such large investments. In particular, systems like q-comm
>> allow controlled API access between isolated JS environments.
>
>
> I am (as you know) a big fan of q-comm and such Q libraries, as well as the
> communicating event loop model where iframe/worker like units only interact
> by asynchronous messages. These certainly have their place, and that place
> is huge.
>
> However, I *strongly* disagree that iframes are a better security mechanism
> than the language-based mechanisms provided by SES. iframes are an unholy
> mess, and *by design and specification* (both old and HTML5) cannot support
> confinement. The best way to leverage the security that Q-like libraries can
> provide is to see them as extending SES out onto the network.

iframes seem to be effective for the cases David outlined.

jjb


More information about the es-discuss mailing list