Darien Valentine (2018-09-17T15:30:53.000Z)
valentinium at gmail.com (2018-09-17T15:40:12.682Z)
Thanks for the context, James. Yes, this thread mainly concerns the issue of being able to obtain references to values within the handler/target from external code, though I did try to make a case for not having the showProxy option in the original issue thread. I would also not have thought to call it an “attack” vector — agreed that from an “all code is trusted” POV, there is no security issue. But Mark would be able to say better for sure, and apologies if this should have been reported to HackerOne after all. What it does is make an invariant of the language violable. It’s similar to exposing a function which, given only a function object, may return references to arbitrary values from that function’s scope.