Private symbols auto-unwrapping proxies (was: Security Demands Simplicity (was: Private Slots))

Mark S. Miller erights at google.com
Mon Jan 28 11:32:04 PST 2013


Hi Tom, as you and I discussed in chat, "(base case) there are no built-in
private symbols in a standard JS environment (i.e. all the built-in symbols
are unique)" is a bad misunderstanding of the utility of membranes.
Membranes (and membrane-like patterns) are useful and needed at many
finer-grains than realms. It is not safe to assume that no private symbols
exist on both sides of any membrane. I think proposal #1 is fatally
insecure. I'm glad you like #2.

Btw, there's a terminology problem, assuming you were referring to Joe-E's
distinctions: In Joe-E terminology, private symbols are *immutable* but not
*powerless*. (In E terms, private symbols are *DeepFrozen* but not *
DeepPassByCopy* or *Data*.)



On Mon, Jan 28, 2013 at 10:45 AM, Tom Van Cutsem <tomvc.be at gmail.com> wrote:

> I just wrote up a strawman on the wiki to summarize the recent debates
> about the interaction between proxies and private symbols:
>
> http://wiki.ecmascript.org/doku.php?id=strawman:proxy_symbol_decoupled
>
> The page actually lists two proposals, out of which I prefer the second
> one.
>
> If I forgot some benefits/drawbacks of either approach, please speak up.
> Thanks.
>
> Cheers,
> Tom
>



-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130128/3cdf0c0e/attachment.html>


More information about the es-discuss mailing list