tag:blogger.com,1999:blog-5135517.post3116144324020207402..comments2023-11-05T03:54:44.710-08:00Comments on Making it stick.: Global SecurityPatrick Loganhttp://www.blogger.com/profile/02088461489050417591noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-5135517.post-53946347866859723432007-11-07T14:04:00.000-08:002007-11-07T14:04:00.000-08:00Thanks Patrick. I know Doug's view on ES4 as a who...Thanks Patrick. I know Doug's view on ES4 as a whole, I was more interested in if he had actually commented on the portions that are purported to help with the security issues. So far I've not seen any detail on his issues.<BR/><BR/>I like the separate independant 'vat' idea too, with the ability to send data between vat's via message passing. This is how I used Ficl and Io on my cellphone to sandbox things when I was playing around with that.Chris Doublehttps://www.blogger.com/profile/08200507509210615780noreply@blogger.comtag:blogger.com,1999:blog-5135517.post-7330896558344155862007-11-07T04:30:00.000-08:002007-11-07T04:30:00.000-08:00Of course reading global data can be a security we...Of course reading global data can be a security weakness too.<BR/><BR/>Crockford has been a proponent of the "vat" idea -- running individual "applications" in their own vats, i.e. leak-free containers.<BR/><BR/>On es4 generally, <A HREF="http://blog.360.yahoo.com/blog-TBPekxc1dLNy5DOloPfzVvFIVOWMB0li?p=709" REL="nofollow">Crockford writes</A>...<BR/><BR/>"<I>JavaScript is currently going through a redesign that is again failing to consider the security of the language. The new language will be bigger and more complex, which will make it even harder to reason about its security. I hope that that redesign will be abandoned.</I>"Patrick Loganhttps://www.blogger.com/profile/02088461489050417591noreply@blogger.comtag:blogger.com,1999:blog-5135517.post-79576162195158846692007-11-07T04:09:00.000-08:002007-11-07T04:09:00.000-08:00This is one of the things that the ECMAScript 4 pr...This is one of the things that the ECMAScript 4 proposal tries to address. You can prevent global objects from being modified, and it has a packaging/module system.<BR/><BR/>It'd be interesting to hear Doug's view on whether this will do the job.Chris Doublehttps://www.blogger.com/profile/08200507509210615780noreply@blogger.com