direct_proxies "problem"

Andrea Giammarchi andrea.giammarchi at
Sat Jan 12 15:14:40 PST 2013

David if you think about the most used library out there and the fact it
would like to threat not only DOM nodes but objects or arrays too, you
realize we might have a problem with a proxy in the wild that is wrapping a
DOM node, isn't it?


So this unable to recognize but able to create could be a problem and/or a
security issue. A proxy that lands inside jQuery closure, or any other
similar library, might have the ability to do many things silently and
behind the scene.

If this is meant, we should all know and eventually deal, if necessary,
with this.

On Sat, Jan 12, 2013 at 3:09 PM, Nathan Wall <nathan.wall at> wrote:

> hmm.. I just realized that B doesn't have direct access to O. So even if B
> does have access to M, trying to get N from P[M] would expose N to the
> membrane.
> So perhaps I don't understand your original dilemma?
> (Forgive me if I'm making you repeat past discussions for my sake. It's
> not my intention to just make you explain things to me that the rest of the
> list already understands.)
> Nathan
> > Here's how I'm imagining it: So if A shares object O with B, the
> membrane may wrap O in proxy P. O may have a private symbol properties M
> and N, where the property for symbol M actually points to symbol N:
> >
> > let O = { },
> > M = new Symbol(true/* private */),
> > N = new Symbol(true/* private */);
> > O[M] = N;
> > O[N] = null;
> >
> > When A shares O with B, the membrane will not be able to see either one
> of these symbols.
> >
> > Let's assume no `unknownPrivateSymbol` trap.
> >
> > The objects cannot yet communicate without the membrane knowing because
> B does not know O's private symbols.
> >
> > Later if A shares private symbol M with B, the membrane will intercept
> the symbol and add it to the whitelist before passing it along. Now the
> membrane knows about M but it can only learn about N by searching all
> previous communications for M. The membrane could in theory discover N by
> searching previous communications for M and finding N in O. I agree with
> you though that this is a pretty huge overhead for the membrane to have to
> do, so let's look for another way.
> >
> > If the membrane fails to search O for M, then B can discover N
> under-the-hood -- that is, B gets access to a private symbol that the
> membrane doesn't have on its whitelist.
> >
> > However, what if the membrane, instead of passing along M, creates a new
> private symbol M2, and this is the actual symbol shared with B. Now if B
> checks O for property M2 it will not be able to uncover the symbol N. The
> membrane adds M2 to its whitelist and anytime B tries to send M2 back to A,
> the membrane converts it to M (and vice versa). Therefore, A always sees
> only symbol M and B always sees only symbol M2.
> >
> > Does this work and allow us to do without `unknownPrivateSymbol`?
> >
> > (An even easier alternative is that the membrane could prevent sharing
> private symbols.)
> >
> > Nathan
> > _______________________________________________
> > es-discuss mailing list
> > es-discuss at
> >
> _______________________________________________
> es-discuss mailing list
> es-discuss at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list