Symbols, Protocols, Frames, and Versioning

Brendan Eich brendan at
Wed Oct 3 17:06:10 PDT 2012

David Bruant wrote:
> Unforgeability can be given up, but you end up with global namespaces.
> new Symbol("21fef4ae-1439-4b6a-b412-3585906b35f1"); or
> "org.ecmascript.system.iterator"

This is no better than dunder-iterator (I mean '__iterator__', I just 
like typing dunder- ;-), or just 'iterator' (what Firefox uses currently).

> I've faced an equivalent problem recently, so I wish to take this
> occasion to share an idea on how to fix the awful security policy of
> local storage.
> An alternative design would be that instead of defaulting to Same-Origin
> Policy, we'd say that storages are only available initially to those who
> create it and who the creator shared it with.

Ocap, yay! [sincere here]

>      var s = new Storage();
>      s.secret; // serializable identifier
>      // send the identifier to anywho is trusted like another frame or a
> server
>      // in another frame/tab/window (of the same browser obviously)
>      var s = Storage.get(secret);
>      // same storage regardless of the origin
> Trust domain is no longer "Same-Origin" but rather "whoever knows the
> secret id *regardless* of the origin". The secret can even be hidden
> from same-origin pages. Useful when webservers hosts content from
> different people; at my school, people had
> addresses. Creating one page, I
> could have stolen the local storage of my school domain anytime.

Yes, old prob with same-origin. Remember The fix 
costs in subdomains.

BTW I am speaking on "The Same-Origin Saga" at AppSecUSA 2012 in Austin 
on the 26th:

I'll have a look at your Extorage thing when able, thanks for the link.


>   It
> makes the feature basically unusable for such cases.
> It's the global identifier pattern. Local storage secrets needs to
> transfered from server to client to recover the storage securely. Of
> course, the secret needs to be sent over HTTPS :-)
> The private symbol has been replaced by a storage instance, but it's the
> same problem, I think.
> For that matter, I've started a prototype implementation [1]. I have all
> ideas straight, but the prototype isn't functional yet. I need to hack
> on DNS (which I know nothing about); if anyone is interested in helping
> on that, I'll be happy of the help.
> David
> [1]
> _______________________________________________
> es-discuss mailing list
> es-discuss at

More information about the es-discuss mailing list