Kevin Reid (2013-08-29T17:51:38.000Z)
On Wed, Aug 28, 2013 at 10:19 AM, Allen Wirfs-Brock
<allen at wirfs-brock.com>wrote:

> The problem is that in ES<6 slice always returned a new Array instance
> using the Array of the realm associated with the invoked slice function.
>  In ES6 slice returns an object that is determine based upon the actual
> this value passed to slice.  In the default case like above, this will be
> the a new Array instance using the Array of the realm associated with the
> this value.
>

!

This is a hazardous change for SES-style security. For example, I've just
taken a quick look at our (Caja) codebase and found a place where
Array.prototype.slice.call(foo) is used to obtain a “no funny business”
array (i.e. doesn't have side effects when you read it) and another where
it's used to obtain an array which must be in the caller's realm. These
would be easy enough to replace with a more explicit operation, but I
wanted to point out that this is not a harmless change.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130829/3ac1c94d/attachment.html>
domenic at domenicdenicola.com (2013-08-31T21:08:45.114Z)
On Wed, Aug 28, 2013 at 10:19 AM, Allen Wirfs-Brock <allen at wirfs-brock.com>wrote:

> The problem is that in ES<6 `slice` always returned a new `Array` instance
> using the `Array` of the realm associated with the invoked `slice` function.
>  In ES6 `slice` returns an object that is determine based upon the actual
> this value passed to `slice`.  In the default case like above, this will be
> the a new `Array` instance using the `Array` of the realm associated with the
> this value.

!

This is a hazardous change for SES-style security. For example, I've just
taken a quick look at our (Caja) codebase and found a place where
`Array.prototype.slice.call(foo)` is used to obtain a “no funny business”
array (i.e. doesn't have side effects when you read it) and another where
it's used to obtain an array which must be in the caller's realm. These
would be easy enough to replace with a more explicit operation, but I
wanted to point out that this is not a harmless change.
domenic at domenicdenicola.com (2013-08-30T17:08:49.064Z)
On Wed, Aug 28, 2013 at 10:19 AM, Allen Wirfs-Brock <allen at wirfs-brock.com>wrote:

> The problem is that in ES<6 slice always returned a new Array instance
> using the Array of the realm associated with the invoked slice function.
>  In ES6 slice returns an object that is determine based upon the actual
> this value passed to slice.  In the default case like above, this will be
> the a new Array instance using the Array of the realm associated with the
> this value.

!

This is a hazardous change for SES-style security. For example, I've just
taken a quick look at our (Caja) codebase and found a place where
Array.prototype.slice.call(foo) is used to obtain a “no funny business”
array (i.e. doesn't have side effects when you read it) and another where
it's used to obtain an array which must be in the caller's realm. These
would be easy enough to replace with a more explicit operation, but I
wanted to point out that this is not a harmless change.