Private symbols auto-unwrapping proxies (was: Security Demands Simplicity (was: Private Slots))

Mark S. Miller erights at
Mon Jan 28 11:32:04 PST 2013

Hi Tom, as you and I discussed in chat, "(base case) there are no built-in
private symbols in a standard JS environment (i.e. all the built-in symbols
are unique)" is a bad misunderstanding of the utility of membranes.
Membranes (and membrane-like patterns) are useful and needed at many
finer-grains than realms. It is not safe to assume that no private symbols
exist on both sides of any membrane. I think proposal #1 is fatally
insecure. I'm glad you like #2.

Btw, there's a terminology problem, assuming you were referring to Joe-E's
distinctions: In Joe-E terminology, private symbols are *immutable* but not
*powerless*. (In E terms, private symbols are *DeepFrozen* but not *
DeepPassByCopy* or *Data*.)

On Mon, Jan 28, 2013 at 10:45 AM, Tom Van Cutsem < at> wrote:

> I just wrote up a strawman on the wiki to summarize the recent debates
> about the interaction between proxies and private symbols:
> The page actually lists two proposals, out of which I prefer the second
> one.
> If I forgot some benefits/drawbacks of either approach, please speak up.
> Thanks.
> Cheers,
> Tom

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list