[e-lang] Rights amplification without transfering flow of control in Caja or ADsafe
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Sat May 17 18:29:14 CDT 2008
David-Sarah Hopwood wrote:
> Tyler Close wrote:
>> To implement the ref_send API in Javascript, the eventual operator
>> must securely recognize its created promises, without transferring
>> flow of control to an untrusted object. For example, consider the
>> implementation of Q.when(promise, ...). The when() implementation must
>> queue an observer on the private list of observers inside the provided
>> promise object. The implementation can't just call a method on the
>> provided promise object, because it might be an untrusted object that
>> makes an immediate call or throws an exception. I had been recognizing
>> promises by checking the value of the 'constructor' property, but both
>> ADsafe and Caja forbid access to this member. Is there some other way
>> to perform rights amplification without transferring flow of control
>> in Caja and ADsafe?
>
> The suggestion I made (for a different reason) in
> <http://www.eros-os.org/pipermail/e-lang/2008-May/012716.html>
Wrong URL; I meant
<http://www.eros-os.org/pipermail/e-lang/2008-May/012715.html>.
> would also solve this problem, I think:
>
> # Suppose that _$post, _$get, _$when etc. were defined on Object.prototype,
> # and that safe Javascript subsets had the restriction that there is no
> # ambient authority to set or define properties with names starting '_$'.
> # Assume that the ref_send library is granted explicit authority to set
> # these properties on Object.prototype.
--
David-Sarah Hopwood
More information about the e-lang
mailing list