Private symbols auto-unwrapping proxies (was: Security Demands Simplicity (was: Private Slots))
bruant.d at gmail.com
Wed Jan 23 10:37:39 PST 2013
Le 23/01/2013 09:38, Tom Van Cutsem a écrit :
> 3) because of JS's "invoke = get + apply" semantics, by default a
> proxy always leaves the |this| value pointing at the proxy.
> Looking only at 3), sometimes this is what you want, and sometimes it
In which case would it be what you want?
The example Brandon (and Kevin before him) provided showed something
very intrusive about proxies related to your 3). That proxies mediate
the access to the public method is one thing, that they pretend to be
the object acted on inside the method opens a entire world.
Even with fixes suggested by Allen, the hazard can still exist if
Counter.prototype.increment.call(new Proxy(counter, maliciousHandler))
I have no idea how this can be mitigated in general without creating a
mechanism that can be abused to unwrap proxies. For classes
specifically, maybe an option can make that classes keep track of
generated objects and throw if non-instance is passed in a method as
|this| (...which is exactly the kind of things DOM Node tree
manipulation methods will need)
More information about the es-discuss