On Jul 26, 2015, at 12:55 PM, Andrea Giammarchi wrote:
> with all due respect Allen, I'm completely against magic-function-name
> assignment for various reason and leaking ain't one.
Implicit function name property assignment is part of ES2015.
> What could you assign in ES6 that cannot be retrieved anyway through
> getOwnPropertySymbols and getOwnPropertyNames ? A triple-magic private Proxy
> handler or what?
A sandbox can censor getOwnPropertySymbol and other reflection functions.
> I mean, the moment you could access that method is the moment it could leak
> with or without a name, right?
>
> Just curious about what you had in mind, again I agree having this in is a
> no-go.
Just saying that an exposed property name is a different (and potentially more
broadly exploitable) capability than exposing a local variable name.
TC39 reached consensus on automatically assigning the `name` property for
expression forms like:
Identifier = FunctionExpression
and so it is part of ES2015. We did not have consensus on doing the same for:
MemberExpression.IdentifierName = FunctionExpression
or
MemberExpression[Expression] = FunctionExpression
so it is not part of ES2015. There were various objections that would have to
be overcome before we could adopt that.
Allen
>
> Best Regards
>
> On Sun, Jul 26, 2015 at 8:48 PM, Allen Wirfs-Brock <[email protected]>
> wrote:
>
> On Jul 26, 2015, at 5:11 AM, Benjamin Gruenbaum wrote:
>
> > In theory this sounds like a cool idea, I didn't even know variable
> > assignments named functions.
> >
> > The only issue I see here is how we're now differentiating assignment by
> > where it happens - what if the property is computed? As far as I know
> > function names are more constrained (like variable names) in what they can
> > be. Object properties may contain characters that function names may not.
>
> the possibility that the property key is a symbol is a primary reason that
> this expression form does not set the `name` property.
>
> There may also be security concerns. The `name` property potentially leaks
> via the function object the name of the variable it is initially assigned to.
> But there isn't much someone could do with a local variable name, outside of
> the originating function. But a leaked property name potentially carries a
> greater capability.
>
> Allen
> _______________________________________________
> es-discuss mailing list
> [email protected]
> https://mail.mozilla.org/listinfo/es-discuss
>
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
