Le 06/01/2012 06:03, Mark S. Miller a écrit :
Such a built in memoization, whether by boundTo or this enhancement to
bind itself, creates a fatal ambient communications channel.
// initSES initialization, freezing all built in primordials other
than the true global
// load Alice as a confined object graph
// load Bob as a confined object graph. Alice and Bob should not
be able to communicate
// Covert channels mean we might not be able to prevent them from
communicating bits
// But we must certainly prevent capability leaks
Alice says
Object.boundTo(Object).foo = capabilityBobShouldntGet;
or
Object.bind(Object).foo = capabilityBobShouldntGet;
Bob says
var HAH = Object.boundTo(Object).foo;
or
var HAH = Object.bind(Object).foo;
David's WeakMap approach elegantly avoid this problem, because Alice
and Bob can only communicate if they already share access to this
WeakMap, in which case they could already communicate anyway.
Are you talking about https://gist.github.com/1567494 ?
Because I think I have the same issue. I think I faithfully implemented
what Andrea described.
Everyone with access to Object.prototype.boundTo has (implicitely)
access to the WeakMap, so the capability leak you describe remains in my
example, I think.
David
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
