Le 16/12/2011 20:58, Brendan Eich a écrit : > From: "David Bruant" <bruan...@gmail.com> >> Let's say we have two attenuators (proxies which reduce your authority over >> a given object) constructors we'd like to compose: makeAttenuated1 and >> makeAttenuated2 >> ----- >> // assuming we have an object 'o' and a private name 'p' >> var aao = makeAttenuated2(makeAttenuated1(o)); >> aao[p] = 37; >> ----- >> The 'set' trap of the attenuator2 is called with p.public as name. Then, >> this attenuator cannot pass p.public to the attenuator1 proxy as a name >> since p.public is not a name object > That's right. Only if the first attenuator is introduced to the private name, > or otherwise has access (from birth), in an objcap-safe way, can it tell that > p.public corresponds uniquely to p. If it wishes, it can then substitute p > for p.public before forwarding to attenuator2. So, to summurize: ** if I trust a proxy, I share a: 1) name.public 2) a correspondance dictionary ** if I don't trust a proxy, I share: 1) name.public
name.public is public so there is no issue, but we've just shared name.public with the entire planet. What about just getting rid of the 'name.public'? It would work as follow: * if I trust a proxy, I share: 1) the private name * if I don't trust a proxy, I share: 0) nothing! "When proxy traps are invoked for a private name, they receive the name’s |.public| property instead of the name itself. *This prevents unintended leakage of the private name*, but still identifies the name to code that already has access to it." => And what will save me from unintended leakage of the correspondance dictionary? (since that's the actual secret unsealer) ... or maybe we can add a public part of the dictionary and create another dictionary that will do the (public dictionary)->(private dictionary) correspondance? ;-) I'm not an expert in objcap, but from all what I've read, it seems to rely on the rule "if you have it, do whatever you want with it", which forces the programmer to have a strong hygiene on what she shares, on what authority she leaves to other (potentially untrusted) parties. We can have long discussions about the probability of leaking a private name or a correspondance dictionary but I think we will have left the realm of object capabilities which is not about probabilities from what I have read. David
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
