Thanks for clarifying the Racket design, Sam. I like the proposed refactoring where David's proposed "isPrivateNameKnown" property essentially becomes an extra argument to the Proxy constructor (let's call it the "name whitelist").
I do agree with David on two points: - if a name isn't on the name whitelist, the default should not be to forward (this pierces membranes). - if the name whitelist is to be an updatable (mutable) collection, it should probably be a Set (or WeakSet?). Now, the proxy will need to do a lookup of a private name on the whitelist, so you want to make sure that an attacker cannot provide a whitelist that steals the name during lookup. Two ways to achieve that: 1) require that the whitelist be a genuine built-in WeakMap instance. 2) don't turn the whitelist into an explicit collection, instead provide 2 built-ins: Proxy.enableName(proxy,name), Proxy.disableName(proxy,name) to implicitly control the whitelist. This gives implementors a lot more freedom in how they store/lookup known private names and sidesteps leaking names through user-defined whitelists. Cheers, Tom
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
