July 26, 2012 TC39 Meeting Notes

David Bruant bruant.d at gmail.com
Mon Sep 24 01:24:38 PDT 2012

Le 24/09/2012 10:04, Tom Van Cutsem a écrit :
> 2012/9/24 David Bruant <bruant.d at gmail.com <mailto:bruant.d at gmail.com>>
>     Le 23/09/2012 22:04, Herby Vojčík a écrit :
>     > Hello,
>     >
>     > maybe I missed something, but how will you secure the whitelist
>     > itself? Malicious proxy knowing righteous one can steal its
>     whitelist,
>     > afaict.
>     I'm sorry, I don't understand what you're saying here. Can you be more
>     specific and provide an example of an attack?
>     As far as I'm concerned, I consider the design secure, because it's
>     possible to easily write code so that only a proxy (or it's handler to
>     be more accurate) has access to its whitelist and nothing else.
> Right. Perhaps what Herby meant is that the proxy might provide a
> malicious whitelist to steal the names being looked up in them. This
> will be prevented by requiring the whitelist to be a genuine, built-in
> WeakSet. The proxy will use the built-in WeakSet.prototype.get method
> to lookup a name in that whitelist, so a proxy can't monkey-patch that
> method to steal the name either.
True. I think a lot of that part depends on how WeakSet/Set are spec'ed.
It might be possible to accept proxies wrapping WeakSets (which is
likely to be helpful with membranes) and perform the check on the target
directly, bypassing the proxy traps. Or maybe consider the built-in
WeakSet.prototype.get method as a private named method on the weakset
instance and only call the unknownPrivateName trap.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120924/2e4a2a09/attachment.html>

More information about the es-discuss mailing list