Error stack

Charles Kendrick charles at
Sat Jun 9 09:36:51 PDT 2012

On Fri, Jun 8, 2012 at 6:48 PM, Erik Arvidsson <erik.arvidsson at> wrote:
> On Fri, Jun 8, 2012 at 4:10 PM, Charles Kendrick <charles at> wrote:
>>> Once again, exposing the actual arguments, receiver and function
>>> object references is a security issue and completely out of scope for
>>> this. This is not related to cross domain access but related to object
>>> capabilities.
>> Erik how do you reconcile this with the fact that this information can
>> already be obtained in most production browsers via stack walking?
> Stack walking is not available in strict functions.

Interesting, but it doesn't speak against programmatic access to the
call stack.

If "use strict" or any other security feature means that
function.arguments are not accessible to a given script, then the same
constraint could be trivially enforced with programmatic access to the
call stack.

The same could be applied to access to the receiver or values of local
variables.  In fact, V8's CallSite API makes the receiver inaccessible
for a strict mode function (I just checked).

More information about the es-discuss mailing list