Le 27/10/2012 00:59, Mark S. Miller a écrit : > On Fri, Oct 26, 2012 at 3:45 PM, David Bruant <[email protected] > <mailto:[email protected]>> wrote: > > Le 27/10/2012 00:23, Kevin Reid a écrit : >> How about: there must be no /nonstandard non-configurable >> properties/ of standard objects. > > Good. This agrees with > <http://wiki.ecmascript.org/doku.php?id=conventions:make_non-standard_properties_configurable>. > > >> >> This directly implies “SES can do its job of deleting everything >> not whitelisted”, and does not rely on the spec blacklisting >> undesirable behaviors. > Interesting. I think there are two slightly different problems to > solve: > 1) Make applications written in the language securable > 2) Make applications written in the language not insecure > > ES5 strict mode, by poison-pilling .caller and .arguments and by > fixing dynamic scoping features took in the direction of making > the language not insecure by default. > > > Did you mean "not insecurable by default". ES5 strict by itself is > certainly far from secure (or "not insecure"). But because of poison > pills and such, ES5 is securable. I meant "not insecure by default" when I wrote it, but I agree "not insecurable by default" is more correct.
> > > The addition of Object.freeze and a couple of other things went in > the direction of making the applications securable. > > I feel I was going for making the language not insecure with my > section 2 refinement, but I guess which is better really depends > on the danger provided by the non-standard capability. > I guess there is a case for both. Maybe the refinment I proposed > could fall into 2 subsections: one for "don't ever add this kind > of capability to the language or you're putting users at risk" and > another for "if you add this kind of capability, make sure it's > securable" (non-configurable I assume for most cases). > > > Did you mean "configurable"? Yes, of course, sorry about this very misleading typo. David
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
