Peter van der Zee
ecma at qfox.nl
Sun Jul 27 09:27:13 PDT 2014
On Sun, Jul 27, 2014 at 6:14 PM, Mark S. Miller <erights at google.com> wrote:
> Although there is some interesting work in trying to obtain security
> relevant guarantees from a script that isn't first, where a malicious script
> may instead have been first (link please if anyone has it), this work did
> not seem practical to me.
I'm not familiar with actual deep research in this area for JS.
Seems to me like a syntactic way of including a module that's
guaranteed to be a system module (completely sealed of the shelf)
would circumvent a lot of these problems. For example, a module that
gives you a fresh default global object with all the built-ins
guaranteed unchanged. Since the syntax can't really be affected by an
earlier script and the language could define a hardcoded system
module, this kind of approach seems viable to me. But we're digressing
from the topic.
More information about the es-discuss