Thanks, Sam -- couldn't have said it better. /be
----- Original Message ----- From: "Sam Tobin-Hochstadt" <[email protected]> To: "David Bruant" <[email protected]> Cc: "Brendan Eich" <[email protected]>, "es-discuss" <[email protected]> Sent: Friday, December 16, 2011 3:24:42 PM Subject: Re: Are Private name and Weak Map the same feature? and the Assoc API On Fri, Dec 16, 2011 at 6:09 PM, David Bruant <[email protected]> wrote: > >> Requiring you to care in order to avoid leaking private names is incredibly >> error-prone. > So is requiring you to care in order to avoid leaking the public -> > private map. It's no more, no less dangerous or error-prone. > If I have to be careful about who I hand a reference to the public -> > private dictionary, how is it more dangerous or error-prone to be > careful about who you hand the private name to? It's the exact same work. > > I think the difference lies in the habit we have in ES5 that "o[n]" > would not disclose a secret. Also, in ES5+private names "o[n]" does not > disclose a secret. My impression is that '.public' in an attempt to > preserve this property with proxies. > > I propose to take the other approach which is to accept that "o[n]" may > disclose 'n' if 'o' is a proxy. I agree this is a big change in how we > think objects. I used to think this way about private names and proxies, and argued for this position. However, I was wrong and it's a bad idea. Here's why: You might want to implement an object with a private field and a public method like this: let o = (function () { let n = new Name(); return { [n]: 0; get: function() { return this[n]; }}})(); But, if we don't censor private names in proxies, this abstraction leaks! Consider: let p = new Proxy(...); o.get.call(p); Now the name is leaked to the proxy. And there's no way you can fix this, without resorting to some other method of hiding things like closures. The problem you raise, that ocap-style security relies on not leaking data *ever*, is, I think, a real one. But it's one that this solution for proxies *mitigates*, because almost all the time, you don't ever want to care about keeping track of which names have which public version, as in the example I gave. You only need this is you want to allow proxies to support your private name, which isn't the case for every abstraction. But it is the case that without the censoring, proxies break almost every abstraction built using private names. -- sam th [email protected] _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
