Re: Figuring out easier readonly interfaces from Mark S. Miller on 2013-10-17 (public-script-coord@w3.org from October to December 2013)

From: Mark S. Miller <erights@google.com>
Date: Thu, 17 Oct 2013 13:52:21 -0700
To: Domenic Denicola <domenic@domenicdenicola.com>
Cc: James Graham <james@hoppipolla.co.uk>, "public-script-coord@w3.org" <public-script-coord@w3.org>
Message-ID: <CABHxS9jQGgE_ppSjLF_8kJ2ANzmU6oo2m+u=z53xGoOzOCBe8w@mail.gmail.com>

Hi Domenic, essentially yes. I would only change "only its creator can
write it" to "only those given write-access can write it". At the moment of
creation, only the creator has access to the created object, so all
authorization, both read and write, must be rooted in authorization choices
made by that creator.

In any case, your example code clearly expresses the intent to propagate
read access. The fact that it actually propagates write access is a
dangerous leak of unintended authority.

Thanks for the great example!

On Thu, Oct 17, 2013 at 1:45 PM, Domenic Denicola <
domenic@domenicdenicola.com> wrote:

> I think some example code helps this discussion. From what I can tell,
> Mark is concerned about code like this:
>
> ```js
> if (rect instanceof DOMRectReadOnly) {
>   // ok, it's read only, so only its creator can write it
>   untrustedCode.doSomethingWithRect(rect);
>   // I can assume that rect has not change.
> }
> ```
>
> This code assumes that being an instance of DOMRectReadOnly means that
> only its creator can write it, which is what the contract implied by "read
> only" means. It assumes `untrustedCode.doSomethingWithRect` won't be able
> to modify `rect`, and thus it can assume on the next line it isn't changed.
>
> However, under the proposed inheritance hierarchy, where a mutable DOMRect
> inherits from DOMRectReadOnly, this code could have its assumptions
> violated, if `rect` was a DOMRect.
>
> This seems bad?
>
>

-- 
    Cheers,
    --MarkM

Received on Thursday, 17 October 2013 20:52:48 UTC