On Mon, Mar 11, 2013 at 7:57 PM, Andrea Giammarchi <
andrea.giammar...@gmail.com> wrote:
> On Mon, Mar 11, 2013 at 3:39 PM, Dean Landolt <d...@deanlandolt.com>wrote:
>
>> it's not the same thing as apply, bind, or call -- in each of the latter
>> forms you're explicitly handing out the `this` reference capability.
>> There's clearly no capability leak as with caller.
>>
>
> I wonder how would you access the `this` reference using `caller` from
> somewhere else, exactly, 'cause more I think about above sentence, the more
> I realize I really do not understand what are you talking about ...
>
> (function test() {
> function what() {
> alert(what.caller);
> }
> what();
> }());
>
> So I've got `test` there, now what about leaking `this` ... how ?
>
The leakage is that caller is a reference -- having that reference gives
you the *capability *to follow any further references on its object graph.
This reference wasn't explicitly handed out (as is always the case with
this-binding in call, apply and bind) -- it was just *leaked* out by the
simple fact that the function was called. It's very possible the caller has
all kinds of powers you didn't intend to expose to the callee -- these
powers have been leaked. It's really not complex -- this is an inherent,
unpluggable leak. And since OCap is now *the* security model of es, there
really no sense in trying to revive caller -- it's gone for good.
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
