On 9/13/13 2:46 PM, Domenic Denicola wrote:
Thanks Boris, this is indeed all very helpful. I just wanted to point out that what you are calling
"dictionaries" is largely covered by what I called "destructuring," on the
input side at least. E.g.
Furthermore, privileged code should never be working with raw page-provided ES
objects, because doing that makes confused-deputy scenarios impossible to avoid
in practice. For example, dictionaries that will be operated on by privileged
script first need to be coerced to a new clean object with a sane proto chain,
only value properties, and the values themselves coerced to be safe to work
with. To the extent that we do not have a way to specify or perform such a
coercion, we have a problem.
I believe this is almost entirely taken care of by destructuring.
Consider this IDL:
dictionary Dict1 {
long a = 5;
};
dictionary Dict2 {
sequence<Dict1> dicts;
}
void foo(optional Dict2 arg);
How would you express eqivalent semantics with destructuring? How does
destructuring take care of making sure that arg.dicts is a new array?
How does it ensure arg.dicts[0] is a new object with an "a" property,
not whatever was passed in? And in any case it does not do any
coercion on arg.dicts[0].a.
This is not a hypothetical setup; there are WebRTC APIs that want
behavior akin to this.
Or am I just completely out of touch with what destructuring can do
nowadays?
Aside from that, much appreciate you spelling out what you find most important,
and I think we're on the same page there.
Good, good. ;)
-Boris
