Private symbols auto-unwrapping proxies (was: Security Demands Simplicity (was: Private Slots))

Mark S. Miller erights at google.com
Mon Jan 28 17:27:27 PST 2013


On Mon, Jan 28, 2013 at 3:59 PM, Mark Miller <erights at gmail.com> wrote:

> Tor this[symbol] = value or equivalent on one side of a membrane, followed
> by this[symbol] or equivalent on the other side of the membrane, we have
> the following eight cases.
>

That should be "For thing[symbol] = value or equivalent...by thing[symbol]
or equivalent..."


>
> For all of these, o1 is the original non-proxy thing associated with the
> private properties.
> p1 is the proxy result of passing o1 through a membrane
> o2 is a PrivateSymbol or WeakMap
> p2 is the result of passing o2 through a membrane.
>   When o2 is a WeakMap, p2 is a proxy for the WeakMap.
>   When o2 is a PrivateSymbol, p2 is a PrivateSymbol that the membrane
> considers to correspond to o2
> o3 is the original non-proxy value to be stored in this private property.
> p3 is the proxy result of passing o3 through the membrane.
>
> o1[o2] = o3; p1[p2] // undefined !== p3
> o2.set(o1, o3); p2.get(p1) // p3
>
> o1[o2] = p3; p1[p2] // undefined !== o3
> o2.set(o1, p3); p2.get(p1) // o3
>
> o1[p2] = o3; p1[o2] // undefined !== p3
> p2.set(o1, o3); o2.get(p1) // p3
>
> The remaining 5 cases are left as an exercise for the reader ;).
>
> The reason they all work for WeakMaps is that the WeakMap itself is on one
> side of the membrane and both gets and sets go there. The weakmap only sees
> the thing and value on its side of the membrane. The requestor only sees
> the thing and value on their side of the membrane.
>
> The reason none of these work under proposal #2 is that the
> thing[privateSymbol] operations on one side of the membrane don't make it
> to the other side.
>
> The reason none of these work under proposal #1 is that the
> thing[privateSymbol] operations don't trap, and so the membrane doesn't get
> to wrap or unwrap the stored value.
>
>
>
> On Mon, Jan 28, 2013 at 1:21 PM, Mark S. Miller <erights at google.com>wrote:
>
>> On Mon, Jan 28, 2013 at 11:52 AM, Andreas Rossberg <rossberg at google.com>wrote:
>>
>>> On 28 January 2013 19:45, Tom Van Cutsem <tomvc.be at gmail.com> wrote:
>>> > I just wrote up a strawman on the wiki to summarize the recent debates
>>> about
>>> > the interaction between proxies and private symbols:
>>> >
>>> > http://wiki.ecmascript.org/doku.php?id=strawman:proxy_symbol_decoupled
>>> >
>>> > The page actually lists two proposals, out of which I prefer the
>>> second one.
>>> >
>>> > If I forgot some benefits/drawbacks of either approach, please speak
>>> up.
>>>
>>> Under the second approach, how can you transparently proxy an object
>>> with private properties _at all_? It seems like you can't, even when
>>> you have access to its private names. In other words, what do you mean
>>> by "inherit the private state of the target", when the target is still
>>> aliased and accessed?
>>>
>>
>>
>> There is an interesting difference between weakmaps and Tom's second
>> proposal.
>>
>>
>> -----------------------------------------------------
>> Consider, in proposal #2:
>>
>> // All on the wet side of the membrane. No interesting difference yet
>>
>>   var wetRecord = {
>>     symbol: PrivateSymbol(),
>>     thing: whatever()
>>   };
>>   var wetValue = whatever()
>>   wetRecord.thing[wetRecord.symbol] = wetValue;
>>
>> // transition to dry side
>>
>>    var { wrapper: dryRecord, gate } = makeMembrane(wetRecord);
>>
>>    var dryValue = dryRecord.thing[dryRecord.symbol];
>>
>> // Under proposal #2, dryValue is undefined
>> -----------------------------------------------------
>>
>>
>>
>>
>> -----------------------------------------------------
>> Now let's do the "same" thing with WeakMaps:
>>
>> // All on the wet side of the membrane. No interesting difference yet
>>
>>   var wetRecord = {
>>     symbol: WeakMap(),
>>     thing: whatever()
>>   };
>>   var wetValue = whatever()
>>   wetRecord.symbol.set(wetRecord.thing, wetValue);
>>
>> // transition to dry side
>>
>>    var { wrapper: dryRecord, gate } = makeMembrane(wetRecord);
>>
>>    var dryValue = dryRecord.symbol.get(dryRecord.thing);
>>
>>    // dryValue is a proxy for wetValue
>> -----------------------------------------------------
>>
>>
>>
>> Conclusion: Although both WeakMaps and Private Symbols have "issues" when
>> virtualized through membranes, WeakMaps virtualize usefully under more
>> scenarios than do Private Symbols under proposal #2.
>>
>>
>> --
>>     Cheers,
>>     --MarkM
>>
>> _______________________________________________
>> es-discuss mailing list
>> es-discuss at mozilla.org
>> https://mail.mozilla.org/listinfo/es-discuss
>>
>>
>
>
> --
> Text by me above is hereby placed in the public domain
>
>   Cheers,
>   --MarkM
>



-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130128/9a2d94be/attachment.html>


More information about the es-discuss mailing list