FW: Proposal: safeEval

doodad-js Admin doodadjs at gmail.com
Fri Jun 22 20:56:50 UTC 2018



If you blacklist.


Blacklisting or whitelisting, that’s an open discussion.


Yet you're providing a library that does just that


Because that’s a “user land” library and currently the only way is with “AST filtering”, apart from compiling a complete runtime, with Emscripten or else.





From: Mike Samuel <mikesamuel at gmail.com> 
Sent: Friday, June 22, 2018 4:46 PM
To: doodad-js Admin <doodadjs at gmail.com>
Cc: Isiah Meadows <isiahmeadows at gmail.com>; es-discuss <es-discuss at mozilla.org>
Subject: Re: FW: Proposal: safeEval



On Fri, Jun 22, 2018, 4:21 PM doodad-js Admin <doodadjs at gmail.com <mailto:doodadjs at gmail.com> > wrote:


you've provided no reason to believe that opcode filtering would provide a better balance between security and ease of writing than AST filtering


AST filtering is fragile because every change on the language can break it.

If you blacklist.


Yet you're providing a library that does just that and have still provided no reason to believe that an opcode filtering proposal would be both more secure and less brittle.






Virus-free.  <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avg.com 


This email has been checked for viruses by AVG.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20180622/67ba75a1/attachment.html>

More information about the es-discuss mailing list