Private symbols auto-unwrapping proxies (was: Security Demands Simplicity (was: Private Slots))

David Bruant bruant.d at gmail.com
Wed Jan 23 10:37:39 PST 2013


Le 23/01/2013 09:38, Tom Van Cutsem a écrit :
> 3) because of JS's "invoke = get + apply" semantics, by default a 
> proxy always leaves the |this| value pointing at the proxy.
>
> Looking only at 3), sometimes this is what you want, and sometimes it 
> isn't.
In which case would it be what you want?
The example Brandon (and Kevin before him) provided showed something 
very intrusive about proxies related to your 3). That proxies mediate 
the access to the public method is one thing, that they pretend to be 
the object acted on inside the method opens a entire world.

Even with fixes suggested by Allen, the hazard can still exist if 
someone does:
     Counter.prototype.increment.call(new Proxy(counter, maliciousHandler))

I have no idea how this can be mitigated in general without creating a 
mechanism that can be abused to unwrap proxies. For classes 
specifically, maybe an option can make that classes keep track of 
generated objects and throw if non-instance is passed in a method as 
|this| (...which is exactly the kind of things DOM Node tree 
manipulation methods will need)

David


More information about the es-discuss mailing list