Why not private symbols?

Brendan Eich brendan at mozilla.com
Fri Aug 2 13:18:05 PDT 2013

Practically speaking, given dynamic-this-binding by default in JS, it's 
too easy to access a foreign object with an important name (private 
symbol in the hypothesis). It will happen. You will leak it. It can then 
be used to attack you.


Domenic Denicola wrote:
> From: Brandon Benvie [bbenvie at mozilla.com]
>> That would leak the Symbol to the Proxy and then private Symbols wouldn't carry a guarantee of security. That's the only difference between private Symbols and unique Symbols.
> Right, I thought about that, but I am still not quite clear on what the attack is here. From an ocap sense, it feels like you're handing off the private symbol to the proxy, which is just like exporting it from your module or passing it to a function. Why should the proxy not have access to something that you gave it?
> The attacks I normally consider public symbols vulnerable to are of the form:
> ```js
> module "foo" {
>    const public = Symbol();
>    export default {
>      [public]: 10
>    };
> }
> module "bar" {
>    import foo from "foo";
>    // Nobody gave me access to the `public` symbol, but I can still do:
>    const public = Object.getOwnPropertyKeys(foo)[0];
>    // Now I can modify the exported object:
>    foo[public] = 20;
> }
> ```
> What would the similar attack code look like for a proxy?
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss

More information about the es-discuss mailing list