name anonymous functions on property assignments

Allen Wirfs-Brock allen at wirfs-brock.com
Sun Jul 26 20:33:07 UTC 2015


On Jul 26, 2015, at 12:55 PM, Andrea Giammarchi wrote:

> with all due respect Allen, I'm completely against magic-function-name assignment for various reason and leaking ain't one.

Implicit function name property assignment is part of ES2015.

> What could you assign in ES6 that cannot be retrieved anyway through getOwnPropertySymbols and getOwnPropertyNames ? A triple-magic private Proxy handler or what?

A sandbox can censor getOwnPropertySymbol and other reflection functions.  

> I mean, the moment you could access that method is the moment it could leak with or without a name, right?
> 
> Just curious about what you had in mind, again I agree having this in is a no-go.

Just saying that an exposed property name is a different (and potentially more broadly exploitable) capability than exposing a local variable name.

TC39 reached consensus on automatically assigning the `name` property for expression forms like:
      Identifier = FunctionExpression

and so it is part of ES2015.  We did not have consensus on doing the same for:
       MemberExpression.IdentifierName = FunctionExpression
or
       MemberExpression[Expression] = FunctionExpression
so it is not part of ES2015. There were various objections that would have to be overcome before we could adopt that.

Allen






> 
> Best Regards
> 
> On Sun, Jul 26, 2015 at 8:48 PM, Allen Wirfs-Brock <allen at wirfs-brock.com> wrote:
> 
> On Jul 26, 2015, at 5:11 AM, Benjamin Gruenbaum wrote:
> 
> > In theory this sounds like a cool idea, I didn't even know variable assignments named functions.
> >
> > The only issue I see here is how we're now differentiating assignment by where it happens - what if the property is computed? As far as I know function names are more constrained (like variable names) in what they can be. Object properties may contain characters that function names may not.
> 
> the possibility that the property key is a symbol is a primary reason that this expression form does not set the `name` property.
> 
> There may also be security concerns.  The `name` property potentially leaks via the function object the name of the variable it is initially assigned to.  But there isn't much someone could do with a local variable name, outside of  the originating function.  But a leaked property name potentially carries a greater capability.
> 
> Allen
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20150726/a5876426/attachment-0001.html>


More information about the es-discuss mailing list