Comment #12 on issue 1274 by [email protected]: Current "virtualize"
strategy isn't safe
http://code.google.com/p/google-caja/issues/detail?id=1274
REFERENCES ACROSS TAMING MEMBRANE
A feral object and its tamed twin, or a guest object and its un-tamed twin,
are always distinct.
* For feral 'x', its tamed twin is always a distinct object constructed in
the taming frame.
* For guest 'x', its un-tamed twin is always a distinct object constructed
in the taming frame.
This does not apply in the following two cases:
1. When the objects in question are primitives, like numbers; and
2. Some object 'x' where the host code has deliberately
called 'caja.tamesTo(x, x)'.
SORTING A "FROZEN" ARRAY
Assume guest code in ES5/3 is in possession of an array 'a'. If guest code
passes that array back to host code *via the taming membrane*, and
if 'caja.tamesTo(a, a)' has not been previously invoked on 'a', the host
code will receive a fresh, non-frozen array constructed in the taming
frame, according to the default taming for arrays.
