Security Demands Simplicity (was: Private Slots)

David Bruant bruant.d at gmail.com
Sun Jan 20 06:37:30 PST 2013


Le 20/01/2013 06:36, Kevin Smith a écrit :
>
>     It is not. At the exit of the get trap, the JS engine checks
>     whether invariants should be enforced for the given property on
>     the target. In your case, the runtime sees that the target has a
>     non-configurable non-writable property called 'foo' with 1 as
>     value. When you try to return 0, it will throw a TypeError because
>     of invariant violation. You can read about invariants at
>     http://wiki.ecmascript.org/doku.php?id=harmony:direct_proxies#invariant_enforcement
>
>
> Excellent - thanks for the link!  One more:  What is the reason for 
> not providing an API for unwrapping a proxy (e.g. your 
> proxyToFinalTarget)?
If anyone can unwrap proxies, then the security benefits they provide 
are virtually non-existent akin to the Reflect API in Java.
It's possible to implement such a function yourself and expose it for 
some of your proxies, but it should be an opt-in, not something 
available by default to everyone in the language.

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130120/eafaa1d3/attachment.html>


More information about the es-discuss mailing list