On Mon, Mar 11, 2013 at 7:57 PM, Andrea Giammarchi < andrea.giammar...@gmail.com> wrote:
> On Mon, Mar 11, 2013 at 3:39 PM, Dean Landolt <d...@deanlandolt.com>wrote: > >> it's not the same thing as apply, bind, or call -- in each of the latter >> forms you're explicitly handing out the `this` reference capability. >> There's clearly no capability leak as with caller. >> > > I wonder how would you access the `this` reference using `caller` from > somewhere else, exactly, 'cause more I think about above sentence, the more > I realize I really do not understand what are you talking about ... > > (function test() { > function what() { > alert(what.caller); > } > what(); > }()); > > So I've got `test` there, now what about leaking `this` ... how ? > The leakage is that caller is a reference -- having that reference gives you the *capability *to follow any further references on its object graph. This reference wasn't explicitly handed out (as is always the case with this-binding in call, apply and bind) -- it was just *leaked* out by the simple fact that the function was called. It's very possible the caller has all kinds of powers you didn't intend to expose to the callee -- these powers have been leaked. It's really not complex -- this is an inherent, unpluggable leak. And since OCap is now *the* security model of es, there really no sense in trying to revive caller -- it's gone for good.
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss