Given that primordials (other than the global object) are transitively
frozen and that the above whitelist was adequately restrictive, each
call of a closed function is fully isolated -- its connectivity to the
world outside itself is fully under control of its caller. If the
module-function's caller denies access to the global object, the
indirect eval function, and to the Function constructor, then the
module cannot pollute non-local state.
Note that denying access to the Function constructor is nontrivial:
(function() {}).constructor === Function
// true
(Function.prototype.constructor can be deleted or modified, at least in
SpiderMonkey, but I don't know if that breaks stuff.)
This is why static subsets like ADsafe and Jacaranda have to blacklist
.constructor. I think most of the other stuff they blacklist no longer
needs to be blacklisted in ES5-strict, but I'm not absolutely sure of that.
Mark Miller wrote:
>> Given that primordials (other than the global object) are transitively
>> frozen and that the above whitelist was adequately restrictive, each
>> call of a closed function is fully isolated -- its connectivity to the
>> world outside itself is fully under control of its caller. If the
>> module-function's caller denies access to the global object, the
>> indirect eval function, and to the Function constructor, then the
>> module cannot pollute non-local state.
Note that denying access to the Function constructor is nontrivial:
(function() {}).constructor === Function
// true
(Function.prototype.constructor can be deleted or modified, at least in
SpiderMonkey, but I don't know if that breaks stuff.)
This is why static subsets like ADsafe and Jacaranda have to blacklist
.constructor. I think most of the other stuff they blacklist no longer
needs to be blacklisted in ES5-strict, but I'm not absolutely sure of that.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20091205/8026f2e6/attachment.bin>
Mark Miller wrote:
Note that denying access to the Function constructor is nontrivial:
(function() {}).constructor === Function // true
(Function.prototype.constructor can be deleted or modified, at least in SpiderMonkey, but I don't know if that breaks stuff.)
This is why static subsets like ADsafe and Jacaranda have to blacklist .constructor. I think most of the other stuff they blacklist no longer needs to be blacklisted in ES5-strict, but I'm not absolutely sure of that.
Mark Miller wrote: >> Given that primordials (other than the global object) are transitively >> frozen and that the above whitelist was adequately restrictive, each >> call of a closed function is fully isolated -- its connectivity to the >> world outside itself is fully under control of its caller. If the >> module-function's caller denies access to the global object, the >> indirect eval function, and to the Function constructor, then the >> module cannot pollute non-local state. Note that denying access to the Function constructor is nontrivial: (function() {}).constructor === Function // true (Function.prototype.constructor can be deleted or modified, at least in SpiderMonkey, but I don't know if that breaks stuff.) This is why static subsets like ADsafe and Jacaranda have to blacklist .constructor. I think most of the other stuff they blacklist no longer needs to be blacklisted in ES5-strict, but I'm not absolutely sure of that. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 292 bytes Desc: OpenPGP digital signature URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20091205/8026f2e6/attachment.bin>