custom cross-realm brand checking

Richard Gibson richard.gibson at gmail.com
Tue Oct 2 03:04:16 UTC 2018


Responses inline.

On Monday, October 1, 2018, Jordan Harband <ljharb at gmail.com> wrote:

> Function.prototype.toString wouldn't suffice as a verification - you could
> reconstruct it with eval, in many cases
>

I've specifically constructed a use that I believe cannot be reconstructed
in such a way, with or without eval. And I've made it easy to share a
counterexample if there is one (just copy the shareable link).

and refactoring the implementation shouldn't force a change in the identity
> of a function.
>

I disagree, since ECMAScript functions _are_ their implementations. But
note that it would be trivial to extend this technique for supporting old
versions, and only slightly more challenging to look for certain aspects
while ignoring others. And it may also be possible to provide a
function-based approach, though I'm skeptical of that because "prove you're
the same as me *and* not being wrapped or impersonated" is really difficult
in such a dynamic language.

Regardless, the question is not whether you approve of this strategy—it's
whether or not user code can implement the kind of robust and unforgeable
cross-realm-compatible brand checks that are trivial with direct access to
internal slots. I claim that it is, and hope that this is a stepping stone
up for software and specifications that currently need to rely on layer
violations.

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20181001/14fd3dda/attachment.html>


More information about the es-discuss mailing list