[e-lang] Rights amplification without transfering flow of control in Caja or ADsafe
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Sat May 17 18:27:33 CDT 2008
Tyler Close wrote:
> To implement the ref_send API in Javascript, the eventual operator
> must securely recognize its created promises, without transferring
> flow of control to an untrusted object. For example, consider the
> implementation of Q.when(promise, ...). The when() implementation must
> queue an observer on the private list of observers inside the provided
> promise object. The implementation can't just call a method on the
> provided promise object, because it might be an untrusted object that
> makes an immediate call or throws an exception. I had been recognizing
> promises by checking the value of the 'constructor' property, but both
> ADsafe and Caja forbid access to this member. Is there some other way
> to perform rights amplification without transferring flow of control
> in Caja and ADsafe?
The suggestion I made (for a different reason) in
<http://www.eros-os.org/pipermail/e-lang/2008-May/012716.html> would
also solve this problem, I think:
# Suppose that _$post, _$get, _$when etc. were defined on Object.prototype,
# and that safe Javascript subsets had the restriction that there is no
# ambient authority to set or define properties with names starting '_$'.
# Assume that the ref_send library is granted explicit authority to set
# these properties on Object.prototype.
--
David-Sarah Hopwood
More information about the e-lang
mailing list