Improving Function.prototype.bind
David Bruant
bruant.d at gmail.com
Fri Jan 6 08:31:12 PST 2012
Le 06/01/2012 06:03, Mark S. Miller a écrit :
> Such a built in memoization, whether by boundTo or this enhancement to
> bind itself, creates a fatal ambient communications channel.
>
> // initSES initialization, freezing all built in primordials other
> than the true global
>
> // load Alice as a confined object graph
>
> // load Bob as a confined object graph. Alice and Bob should not
> be able to communicate
> // Covert channels mean we might not be able to prevent them from
> communicating bits
> // But we must certainly prevent capability leaks
>
> Alice says
>
> Object.boundTo(Object).foo = capabilityBobShouldntGet;
>
> Bob says
>
> var HAH = Object.boundTo(Object).foo;
If Alice and Bob have been loaded as confined object graphs, they could
both be exposed different objects for what each refer to as "Object",
no? This can be applied to all object they could have in common (at some
memory cost, obviously), I think.
Maybe some problem can arise when the object is not retrieved from an
identifier, but when its identity is guaranteed by the language, for
instance 'Object.getPrototypeOf({})'. It can probably be worked around
too, but sounds more complicated.
Since Alice and Bob don't have any reference in common by default, they
wouldn't have a communication channel thanks to boundTo.
I think ES6 will help out more to prevent sharing same object at lower
cost with module loaders (if I understand them properly) and proxies
(let Object2 = new Proxy(Object) to create the same object with a
different identity).
David
Ps: by the way, what does "HAH" mean?
More information about the es-discuss
mailing list