Security Demands Simplicity (was: Private Slots)

Brendan Eich brendan at
Sun Jan 20 18:39:21 PST 2013

Allen Wirfs-Brock wrote:
> This really makes me start to question even more the viability of 
> Proxy based membranes (direct proxies, at least) as an isolation 
> mechanism. Independent of private Symbols,  it isn't clear that it is 
> a practical approach.

Firefox relies on proxies based on the original spec. They are "viable" 
-- we don't have any soundness problems, and we bugfix validity problems 
until zarro boogs.

Of course, we have not yet implemented symbols, private or public.

Seriously, why are you doubting proxies? Please give more of an 
analytical argument. Yes, unknownPrivateSymbol as a "throw or do 
nothing" trap seems hacky. We may find a better way. But that's not a 
problem with proxies or membranes so much as private symbols in 
conjunction with the MOP and the integrity properties we want to enforce.


More information about the es-discuss mailing list