# Private symbols auto-unwrapping proxies (was: Security Demands Simplicity (was: Private Slots))

Mark Miller erights at gmail.com
Mon Jan 28 15:59:52 PST 2013

```Tor this[symbol] = value or equivalent on one side of a membrane, followed
by this[symbol] or equivalent on the other side of the membrane, we have
the following eight cases.

For all of these, o1 is the original non-proxy thing associated with the
private properties.
p1 is the proxy result of passing o1 through a membrane
o2 is a PrivateSymbol or WeakMap
p2 is the result of passing o2 through a membrane.
When o2 is a WeakMap, p2 is a proxy for the WeakMap.
When o2 is a PrivateSymbol, p2 is a PrivateSymbol that the membrane
considers to correspond to o2
o3 is the original non-proxy value to be stored in this private property.
p3 is the proxy result of passing o3 through the membrane.

o1[o2] = o3; p1[p2] // undefined !== p3
o2.set(o1, o3); p2.get(p1) // p3

o1[o2] = p3; p1[p2] // undefined !== o3
o2.set(o1, p3); p2.get(p1) // o3

o1[p2] = o3; p1[o2] // undefined !== p3
p2.set(o1, o3); o2.get(p1) // p3

The remaining 5 cases are left as an exercise for the reader ;).

The reason they all work for WeakMaps is that the WeakMap itself is on one
side of the membrane and both gets and sets go there. The weakmap only sees
the thing and value on its side of the membrane. The requestor only sees
the thing and value on their side of the membrane.

The reason none of these work under proposal #2 is that the
thing[privateSymbol] operations on one side of the membrane don't make it
to the other side.

The reason none of these work under proposal #1 is that the
thing[privateSymbol] operations don't trap, and so the membrane doesn't get
to wrap or unwrap the stored value.

On Mon, Jan 28, 2013 at 1:21 PM, Mark S. Miller <erights at google.com> wrote:

> On Mon, Jan 28, 2013 at 11:52 AM, Andreas Rossberg <rossberg at google.com>wrote:
>
>> On 28 January 2013 19:45, Tom Van Cutsem <tomvc.be at gmail.com> wrote:
>> > I just wrote up a strawman on the wiki to summarize the recent debates
>> > the interaction between proxies and private symbols:
>> >
>> > http://wiki.ecmascript.org/doku.php?id=strawman:proxy_symbol_decoupled
>> >
>> > The page actually lists two proposals, out of which I prefer the second
>> one.
>> >
>> > If I forgot some benefits/drawbacks of either approach, please speak up.
>>
>> Under the second approach, how can you transparently proxy an object
>> with private properties _at all_? It seems like you can't, even when
>> you have access to its private names. In other words, what do you mean
>> by "inherit the private state of the target", when the target is still
>> aliased and accessed?
>>
>
>
> There is an interesting difference between weakmaps and Tom's second
> proposal.
>
>
> -----------------------------------------------------
> Consider, in proposal #2:
>
> // All on the wet side of the membrane. No interesting difference yet
>
>   var wetRecord = {
>     symbol: PrivateSymbol(),
>     thing: whatever()
>   };
>   var wetValue = whatever()
>   wetRecord.thing[wetRecord.symbol] = wetValue;
>
> // transition to dry side
>
>    var { wrapper: dryRecord, gate } = makeMembrane(wetRecord);
>
>    var dryValue = dryRecord.thing[dryRecord.symbol];
>
> // Under proposal #2, dryValue is undefined
> -----------------------------------------------------
>
>
>
>
> -----------------------------------------------------
> Now let's do the "same" thing with WeakMaps:
>
> // All on the wet side of the membrane. No interesting difference yet
>
>   var wetRecord = {
>     symbol: WeakMap(),
>     thing: whatever()
>   };
>   var wetValue = whatever()
>   wetRecord.symbol.set(wetRecord.thing, wetValue);
>
> // transition to dry side
>
>    var { wrapper: dryRecord, gate } = makeMembrane(wetRecord);
>
>    var dryValue = dryRecord.symbol.get(dryRecord.thing);
>
>    // dryValue is a proxy for wetValue
> -----------------------------------------------------
>
>
>
> Conclusion: Although both WeakMaps and Private Symbols have "issues" when
> virtualized through membranes, WeakMaps virtualize usefully under more
> scenarios than do Private Symbols under proposal #2.
>
>
> --
>     Cheers,
>     --MarkM
>
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
>

--
Text by me above is hereby placed in the public domain

Cheers,
--MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130128/7a09659e/attachment.html>
```