related: are explicitly bound functions going to get a 'target' reference to the unbound function in ES6? I've manually set this property many times (mainly for debugging)
On Thu, May 31, 2012 at 9:05 PM, Mark S. Miller <erig...@google.com> wrote: > On Thu, May 31, 2012 at 7:44 PM, David Herman <dher...@mozilla.com> wrote: > > On May 31, 2012, at 2:40 PM, Mark S. Miller wrote: > > > >> if (isBoundOrWhateverWeCallIt(f)) { > >> //... do something > >> } else { > >> //... do something else > >> } > >> > >> If the predicate means what I think it should mean, I can offer some > examples of when I would do this. > > > > Could you? I haven't yet understood what you want your predicate to mean > or what you want it for. > > Take a look at slides 45 and 46 of > http://www.infoq.com/presentations/Secure-Mashups-in-ECMAScript-5 > > http://qconsf.com/dl/qcon-sanfran-2011/slides/MarkS.Miller_RemainingHazardsAndMitigatingPatternsOfSecureMashupsInEcmaScript5.pdf > > Rewind first to remind yourself of enough context to get the point. > > Rather than teach defensive programmers to write > "(1,subscribers[+i])(publication);", I think it is both more robust > and more teachable to teach them to do input validation where they > accept a function that they expect to not be this-sensitive. > > subscribe: function(subscriber) { > if (!isBoundThisOrWhateverWeCallIt(subscriber)) { > throw Error("only non-this-sensitive functions (such as > bound functions) may be subscribers"); > } > subscribers.push(subscriber); > } > > Amusingly, the example becomes exactly the inverse of Allen's, > leveraging soundness rather than fighting incompleteness. > > We could instead make the subscribe method defensive by writing > > subscribe: function(subscriber) { > subscribers.push(subscriber.bind(undefined)); > } > > This would be as safe; it would successfully prevent the same attacks. > When the attacks are due to malice, this would be as good -- better > since it is simpler. But most "attacks" are actually accidents, not > malice. This simpler alternative fails to give an early diagnostic to > accidental attackers -- which is directly analogous to the test's > purpose in Allen's code. The "(1,subscribers[+i])" technique shown on > the slide has the same lack-of-early feedback problem. > > With the isBoundThisOrWhateverWeCallIt test as previously proposed, > callers of subscribe can only successfully call it with either a fat > arrow function or a bound function, which is often an unnecessary > burden on these callers. With the test I propose, callers can also > successfully call it with any function that neither mentions this nor > contains a direct eval operator. The remaining false negatives of my > test would cause only the minor annoyance of "unnecessarily" rejecting > "safe" cases like > > subscribe(function() { if (false) { doSomethingWith(this); } }); > > -- > Cheers, > --MarkM > _______________________________________________ > es-discuss mailing list > es-discuss@mozilla.org > https://mail.mozilla.org/listinfo/es-discuss >
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss