Loading ...
Sorry, an error occurred while loading the content.

Re: [caplet] Re: [Fwd: Re: ADsafe attack]

Expand Messages
  • Mark S. Miller
    On Wed, May 21, 2008 at 12:02 PM, David-Sarah Hopwood ... Yes! The about-to-be-specified Object.getProperties(obj) will provide a reflective description of all
    Message 1 of 11 , May 21, 2008
    • 0 Attachment
      On Wed, May 21, 2008 at 12:02 PM, David-Sarah Hopwood
      <david.hopwood@...> wrote:
      > Any chance of an Object.__allKeys__(object) method, which ignores
      > DontEnum, in ES3.1?

      Yes! The about-to-be-specified Object.getProperties(obj) will provide
      a reflective description of all an object's own properties. This
      operation itself will not be visible from Caja, and I wouldn't
      recommend that it be visible from ADsafe, but in both cases it's
      useful within the runtime libraries of these secure subsets, to help
      enforce useful properties, as you explain.


      --
      Cheers,
      --MarkM
    • David-Sarah Hopwood
      ... That s why I suggested a name using the __...__ convention. Otherwise, a subset language that does not do rewriting must do one of: - blacklist the name
      Message 2 of 11 , May 21, 2008
      • 0 Attachment
        Mark S. Miller wrote:
        > On Wed, May 21, 2008 at 12:02 PM, David-Sarah Hopwood
        > <david.hopwood@...> wrote:
        >> Any chance of an Object.__allKeys__(object) method, which ignores
        >> DontEnum, in ES3.1?
        >
        > Yes! The about-to-be-specified Object.getProperties(obj) will provide
        > a reflective description of all an object's own properties. This
        > operation itself will not be visible from Caja, and I wouldn't
        > recommend that it be visible from ADsafe, but in both cases it's
        > useful within the runtime libraries of these secure subsets, to help
        > enforce useful properties, as you explain.

        That's why I suggested a name using the __...__ convention.

        Otherwise, a subset language that does not do rewriting must do one of:
        - blacklist the name 'getProperties', which is ugly;
        - rebind 'Object' when running subset code, which does not have
        well-defined semantics and may cause compatibility problems;
        - block access to 'Object', which would not otherwise be necessary.

        Actually, a better idea would be to move *all* of the methods proposed
        to be added to Object, to a new global 'Reflect'. Rebinding 'Reflect'
        in order to provide tamed versions of these operations when running
        subset code would not have the same problems as rebinding 'Object',
        since 'Reflect' is not used for anything else.

        --
        David-Sarah Hopwood
      • Douglas Crockford
        ... Mark came up with a better idea: ADsafe denies any access to Object.
        Message 3 of 11 , May 21, 2008
        • 0 Attachment
          --- In caplet@yahoogroups.com, David-Sarah Hopwood <david.hopwood@...>
          wrote:
          > That's why I suggested a name using the __...__ convention.
          >
          > Otherwise, a subset language that does not do rewriting must do one of:
          > - blacklist the name 'getProperties', which is ugly;
          > - rebind 'Object' when running subset code, which does not have
          > well-defined semantics and may cause compatibility problems;
          > - block access to 'Object', which would not otherwise be necessary.
          >
          > Actually, a better idea would be to move *all* of the methods proposed
          > to be added to Object, to a new global 'Reflect'. Rebinding 'Reflect'
          > in order to provide tamed versions of these operations when running
          > subset code would not have the same problems as rebinding 'Object',
          > since 'Reflect' is not used for anything else.

          Mark came up with a better idea: ADsafe denies any access to Object.
        • David-Sarah Hopwood
          ... I don t want to have to do that in Jacaranda (where it would otherwise be safe to allow first-class access to Object). -- David-Sarah Hopwood
          Message 4 of 11 , May 21, 2008
          • 0 Attachment
            Douglas Crockford wrote:
            > --- In caplet@yahoogroups.com, David-Sarah Hopwood <david.hopwood@...>
            > wrote:
            >> That's why I suggested a name using the __...__ convention.
            >>
            >> Otherwise, a subset language that does not do rewriting must do one of:
            >> - blacklist the name 'getProperties', which is ugly;
            >> - rebind 'Object' when running subset code, which does not have
            >> well-defined semantics and may cause compatibility problems;
            >> - block access to 'Object', which would not otherwise be necessary.
            >>
            >> Actually, a better idea would be to move *all* of the methods proposed
            >> to be added to Object, to a new global 'Reflect'. Rebinding 'Reflect'
            >> in order to provide tamed versions of these operations when running
            >> subset code would not have the same problems as rebinding 'Object',
            >> since 'Reflect' is not used for anything else.
            >
            > Mark came up with a better idea: ADsafe denies any access to Object.

            I don't want to have to do that in Jacaranda (where it would otherwise
            be safe to allow first-class access to Object).

            --
            David-Sarah Hopwood
          Your message has been successfully submitted and would be delivered to recipients shortly.