July 26, 2012 TC39 Meeting Notes
herby at mailbox.sk
Mon Sep 24 02:41:45 PDT 2012
David Bruant wrote:
> Le 24/09/2012 10:04, Tom Van Cutsem a écrit :
>> 2012/9/24 David Bruant <bruant.d at gmail.com <mailto:bruant.d at gmail.com>>
>> Le 23/09/2012 22:04, Herby Vojčík a écrit :
>> > Hello,
>> > maybe I missed something, but how will you secure the whitelist
>> > itself? Malicious proxy knowing righteous one can steal its
>> > afaict.
>> I'm sorry, I don't understand what you're saying here. Can you be more
>> specific and provide an example of an attack?
>> As far as I'm concerned, I consider the design secure, because it's
>> possible to easily write code so that only a proxy (or it's handler to
>> be more accurate) has access to its whitelist and nothing else.
Ah, here was the confusion, the handler has the whitelist, so no attack
possible. Sorry for false alarm.
>> Right. Perhaps what Herby meant is that the proxy might provide a
>> malicious whitelist to steal the names being looked up in them. This
>> will be prevented by requiring the whitelist to be a genuine, built-in
>> WeakSet. The proxy will use the built-in WeakSet.prototype.get method
>> to lookup a name in that whitelist, so a proxy can't monkey-patch that
>> method to steal the name either.
> True. I think a lot of that part depends on how WeakSet/Set are spec'ed.
> It might be possible to accept proxies wrapping WeakSets (which is
> likely to be helpful with membranes) and perform the check on the target
> directly, bypassing the proxy traps. Or maybe consider the built-in
> WeakSet.prototype.get method as a private named method on the weakset
> instance and only call the unknownPrivateName trap.
More information about the es-discuss