July 26, 2012 TC39 Meeting Notes

Herby Vojčík herby at mailbox.sk
Mon Sep 24 02:41:45 PDT 2012

David Bruant wrote:
> Le 24/09/2012 10:04, Tom Van Cutsem a écrit :
>> 2012/9/24 David Bruant <bruant.d at gmail.com <mailto:bruant.d at gmail.com>>
>>     Le 23/09/2012 22:04, Herby Vojčík a écrit :
>>     > Hello,
>>     >
>>     > maybe I missed something, but how will you secure the whitelist
>>     > itself? Malicious proxy knowing righteous one can steal its
>>     whitelist,
>>     > afaict.
>>     I'm sorry, I don't understand what you're saying here. Can you be more
>>     specific and provide an example of an attack?
>>     As far as I'm concerned, I consider the design secure, because it's
>>     possible to easily write code so that only a proxy (or it's handler to
>>     be more accurate) has access to its whitelist and nothing else.

Ah, here was the confusion, the handler has the whitelist, so no attack 
possible. Sorry for false alarm.


>> Right. Perhaps what Herby meant is that the proxy might provide a
>> malicious whitelist to steal the names being looked up in them. This
>> will be prevented by requiring the whitelist to be a genuine, built-in
>> WeakSet. The proxy will use the built-in WeakSet.prototype.get method
>> to lookup a name in that whitelist, so a proxy can't monkey-patch that
>> method to steal the name either.
> True. I think a lot of that part depends on how WeakSet/Set are spec'ed.
> It might be possible to accept proxies wrapping WeakSets (which is
> likely to be helpful with membranes) and perform the check on the target
> directly, bypassing the proxy traps. Or maybe consider the built-in
> WeakSet.prototype.get method as a private named method on the weakset
> instance and only call the unknownPrivateName trap.
> David

More information about the es-discuss mailing list