Improving Function.prototype.bind

David Bruant bruant.d at gmail.com
Fri Jan 6 01:31:29 PST 2012


Le 06/01/2012 06:03, Mark S. Miller a écrit :
> Such a built in memoization, whether by boundTo or this enhancement to 
> bind itself, creates a fatal ambient communications channel.
>
>     // initSES initialization, freezing all built in primordials other 
> than the true global
>
>     // load Alice as a confined object graph
>
>     // load Bob as a confined object graph. Alice and Bob should not 
> be able to communicate
>     // Covert channels mean we might not be able to prevent them from 
> communicating bits
>     // But we must certainly prevent capability leaks
>
>     Alice says
>
>         Object.boundTo(Object).foo = capabilityBobShouldntGet;
> or
>         Object.bind(Object).foo = capabilityBobShouldntGet;
>
>     Bob says
>
>         var HAH = Object.boundTo(Object).foo;
> or
>         var HAH = Object.bind(Object).foo;
>
> David's WeakMap approach elegantly avoid this problem, because Alice 
> and Bob can only communicate if they already share access to this 
> WeakMap, in which case they could already communicate anyway.
Are you talking about https://gist.github.com/1567494 ?
Because I think I have the same issue. I think I faithfully implemented 
what Andrea described.
Everyone with access to Object.prototype.boundTo has (implicitely) 
access to the WeakMap, so the capability leak you describe remains in my 
example, I think.

David


More information about the es-discuss mailing list