How to ensure that your script runs first in a webpage

John J Barton johnjbarton at
Fri Feb 3 08:54:08 PST 2012

On Fri, Feb 3, 2012 at 8:12 AM, Mark S. Miller <erights at> wrote:
> On Fri, Feb 3, 2012 at 7:36 AM, John J Barton <johnjbarton at>
> wrote:
> [...]
>> I'm not saying we can't do better, I am claiming that the impact of
>> adding security features to the programming language is not (yet?)
>> justified.
> I must have missed something. What language change suggestions are you
> reacting to?
> ES5 already supports SES and ES6 will as well, probably somewhat better. The
> "costs" were largely non-controversial and are behind us in any case.

Well David seems to be building up to something, so I wanted to get
some controversy out in front.

>>  There are better solutions based on iframes that do not
>> require such large investments. In particular, systems like q-comm
>> allow controlled API access between isolated JS environments.
> I am (as you know) a big fan of q-comm and such Q libraries, as well as the
> communicating event loop model where iframe/worker like units only interact
> by asynchronous messages. These certainly have their place, and that place
> is huge.
> However, I *strongly* disagree that iframes are a better security mechanism
> than the language-based mechanisms provided by SES. iframes are an unholy
> mess, and *by design and specification* (both old and HTML5) cannot support
> confinement. The best way to leverage the security that Q-like libraries can
> provide is to see them as extending SES out onto the network.

iframes seem to be effective for the cases David outlined.


More information about the es-discuss mailing list