POLA Would Have Prevented the Event-Stream Incident
Mark Miller
erights at gmail.com
Mon Dec 3 22:19:04 UTC 2018
The npm / event-stream incident is the perfect teaching moment for POLA
(Principle of Least Authority), and for the need to support least authority
for JavaScript libraries.
https://medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99
by Kate Sills (cc'ed) explains the point. The links at the end of Kate's
article are worth following. In particular:
Securing EcmaScript, presentation to Node Security
https://www.youtube.com/watch?v=9Snbss_tawI&list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2
is
my presentation explaining many of these issues *prior to* this particular
incident.
At the recent (November 2018) tc39 meeting, I presented on the enhancements
needed to support least authority for JavaScript modules and libraries,
adequate to have prevented this incident.
Besides es-discuss
https://news.ycombinator.com/item?id=18590116
would be a good place to discuss these issues.
--
Cheers,
--MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20181203/6c049d8c/attachment.html>
More information about the es-discuss
mailing list