Improving Function.prototype.bind

David Bruant bruant.d at gmail.com
Fri Jan 6 08:31:12 PST 2012


Le 06/01/2012 06:03, Mark S. Miller a écrit :
> Such a built in memoization, whether by boundTo or this enhancement to 
> bind itself, creates a fatal ambient communications channel.
>
>     // initSES initialization, freezing all built in primordials other 
> than the true global
>
>     // load Alice as a confined object graph
>
>     // load Bob as a confined object graph. Alice and Bob should not 
> be able to communicate
>     // Covert channels mean we might not be able to prevent them from 
> communicating bits
>     // But we must certainly prevent capability leaks
>
>     Alice says
>
>         Object.boundTo(Object).foo = capabilityBobShouldntGet;
>
>     Bob says
>
>         var HAH = Object.boundTo(Object).foo;
If Alice and Bob have been loaded as confined object graphs, they could 
both be exposed different objects for what each refer to as "Object", 
no? This can be applied to all object they could have in common (at some 
memory cost, obviously), I think.
Maybe some problem can arise when the object is not retrieved from an 
identifier, but when its identity is guaranteed by the language, for 
instance 'Object.getPrototypeOf({})'. It can probably be worked around 
too, but sounds more complicated.

Since Alice and Bob don't have any reference in common by default, they 
wouldn't have a communication channel thanks to boundTo.

I think ES6 will help out more to prevent sharing same object at lower 
cost with module loaders (if I understand them properly) and proxies 
(let Object2 = new Proxy(Object) to create the same object with a 
different identity).

David

Ps: by the way, what does "HAH" mean?


More information about the es-discuss mailing list