On Thu, May 31, 2012 at 7:44 PM, David Herman <[email protected]> wrote: > On May 31, 2012, at 2:40 PM, Mark S. Miller wrote: > >> if (isBoundOrWhateverWeCallIt(f)) { >> //... do something >> } else { >> //... do something else >> } >> >> If the predicate means what I think it should mean, I can offer some >> examples of when I would do this. > > Could you? I haven't yet understood what you want your predicate to mean or > what you want it for.
Take a look at slides 45 and 46 of http://www.infoq.com/presentations/Secure-Mashups-in-ECMAScript-5 http://qconsf.com/dl/qcon-sanfran-2011/slides/MarkS.Miller_RemainingHazardsAndMitigatingPatternsOfSecureMashupsInEcmaScript5.pdf Rewind first to remind yourself of enough context to get the point. Rather than teach defensive programmers to write "(1,subscribers[+i])(publication);", I think it is both more robust and more teachable to teach them to do input validation where they accept a function that they expect to not be this-sensitive. subscribe: function(subscriber) { if (!isBoundThisOrWhateverWeCallIt(subscriber)) { throw Error("only non-this-sensitive functions (such as bound functions) may be subscribers"); } subscribers.push(subscriber); } Amusingly, the example becomes exactly the inverse of Allen's, leveraging soundness rather than fighting incompleteness. We could instead make the subscribe method defensive by writing subscribe: function(subscriber) { subscribers.push(subscriber.bind(undefined)); } This would be as safe; it would successfully prevent the same attacks. When the attacks are due to malice, this would be as good -- better since it is simpler. But most "attacks" are actually accidents, not malice. This simpler alternative fails to give an early diagnostic to accidental attackers -- which is directly analogous to the test's purpose in Allen's code. The "(1,subscribers[+i])" technique shown on the slide has the same lack-of-early feedback problem. With the isBoundThisOrWhateverWeCallIt test as previously proposed, callers of subscribe can only successfully call it with either a fat arrow function or a bound function, which is often an unnecessary burden on these callers. With the test I propose, callers can also successfully call it with any function that neither mentions this nor contains a direct eval operator. The remaining false negatives of my test would cause only the minor annoyance of "unnecessarily" rejecting "safe" cases like subscribe(function() { if (false) { doSomethingWith(this); } }); -- Cheers, --MarkM _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
