ES Modules: suggestions for improvement
Jussi Kalliokoski
jussi.kalliokoski at gmail.com
Wed Jun 27 11:34:29 PDT 2012
> "For security, the Loader object could be frozen with Object.freeze to
> prevent additional changes."
> => This is not enough. People shouldn't have to opt-in for security,
> mostly because they don't do it. I woud call for security by default here
> and having "import <path>" call the built-in Loader.resolve instead of the
> dynamic one.
> If people want to override the Loader API, they would have to forget about
> syntax. Or a new syntax could be introduced, making clear that it's
> dangerous. Maybe something like "importDyn".
>
Sorry to arrive late to the party, but I don't see the security issue here.
Is this about third party scripts being able to change what modules get
loaded, to inject a malicious script into a module path? Why would they do
that if they already have script access and can import the malicious stuff
themselves? Or is this something about leaking secrets?
Cheers,
Jussi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120627/5542c97f/attachment.html>
More information about the es-discuss
mailing list