On Fri, Feb 3, 2012 at 7:36 AM, John J Barton <johnjbar...@johnjbarton.com>wrote: [...]
> I'm not saying we can't do better, I am claiming that the impact of > adding security features to the programming language is not (yet?) > justified. I must have missed something. What language change suggestions are you reacting to? ES5 already supports SES and ES6 will as well, probably somewhat better. The "costs" were largely non-controversial and are behind us in any case. > There are better solutions based on iframes that do not > require such large investments. In particular, systems like q-comm > allow controlled API access between isolated JS environments. I am (as you know) a big fan of q-comm and such Q libraries, as well as the communicating event loop model where iframe/worker like units only interact by asynchronous messages. These certainly have their place, and that place is huge. However, I *strongly* disagree that iframes are a better security mechanism than the language-based mechanisms provided by SES. iframes are an unholy mess, and *by design and specification* (both old and HTML5) cannot support confinement. The best way to leverage the security that Q-like libraries can provide is to see them as extending SES out onto the network. We can talk more about this offline if you'd like. -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss