Discuss
  • Message History
Aymeric Vitte (2013-09-25T22:48:16.000Z)
It's not easy to freeze the world like Caja is doing, and it's not easy 
to have a library that takes care of it securely, and the use case is 
not always to use modules to have a fresh global.

Some years ago, doing widgets stuff inside web pages, I had a 
"RestoreNativeVar" function restoring natives using strange hooks like 
taking them from iframes (no comments...)

The issue is probably not TC39 only, but looking at W3C security groups 
specs which apparently have some hard time defining something secure, 
maybe SES concepts are coming late in the TC39 schedule, all new Web API 
define more globals, this is usefull to have something that freezes the 
entire global when you need it instead of hacking around.

Regards,

Aymeric

Le 25/09/2013 23:50, David Bruant a écrit :
> Le 25/09/2013 17:41, Michaël Rouges a écrit :
>> Hi all,
>>
>> Given the number of scripts from various sources that may be 
>> contained in a web page, there may be prototypingconflicts.
> Be careful about what you include? To be proactive in that process, 
> freeze all builtins beforehand. You'll know soon enough if something 
> breaks.
> If you do want to enhance prototype, isolate this code and run it 
> before freezing builtins.
>
> The module loader API has something close to what you ask:
> http://wiki.ecmascript.org/doku.php?id=harmony:module_loaders#loader.prototype.definebuiltins_obj 
>
>
> David
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss

-- 
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
domenic at domenicdenicola.com (2013-10-01T20:56:42.955Z)
It's not easy to freeze the world like Caja is doing, and it's not easy 
to have a library that takes care of it securely, and the use case is 
not always to use modules to have a fresh global.

Some years ago, doing widgets stuff inside web pages, I had a 
"RestoreNativeVar" function restoring natives using strange hooks like 
taking them from iframes (no comments...)

The issue is probably not TC39 only, but looking at W3C security groups 
specs which apparently have some hard time defining something secure, 
maybe SES concepts are coming late in the TC39 schedule, all new Web API 
define more globals, this is usefull to have something that freezes the 
entire global when you need it instead of hacking around.
Edit