Private symbols auto-unwrapping proxies (was: Security Demands Simplicity (was: Private Slots))

Tom Van Cutsem at
Mon Jan 28 23:42:40 PST 2013

2013/1/28 Mark S. Miller <erights at>

> Hi Tom, as you and I discussed in chat, "(base case) there are no
> built-in private symbols in a standard JS environment (i.e. all the
> built-in symbols are unique)" is a bad misunderstanding of the utility of
> membranes. Membranes (and membrane-like patterns) are useful and needed at
> many finer-grains than realms. It is not safe to assume that no private
> symbols exist on both sides of any membrane. I think proposal #1 is fatally
> insecure. I'm glad you like #2.

Ok, so the base case is unsound. Good to know. Proves that it's always
important to explicitly state your base assumptions ;-)

> Btw, there's a terminology problem, assuming you were referring to Joe-E's
> distinctions: In Joe-E terminology, private symbols are *immutable* but
> not *powerless*. (In E terms, private symbols are *DeepFrozen* but not *
> DeepPassByCopy* or *Data*.)

Thanks for the clarification. Will update the wiki.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list