- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Mon, 2 Sep 2013 13:30:52 -0700
- To: Brendan Eich <brendan@secure.meer.net>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-script-coord@w3.org" <public-script-coord@w3.org>
On Mon, Sep 2, 2013 at 12:57 PM, Brendan Eich <brendan@secure.meer.net> wrote: > Tab Atkins Jr. wrote: >> Well, we know from experience that the first one is a no-go - we >> always end up with compat pain, sometimes getting bad enough to force >> a de facto order to become a de jure one. > > That's not a "no go". We don't like it but sometimes, and I can defend a few > in ECMA-262, underspecification is a net win. I suppose. Still have gag reflex at intentionally unspecified without plans to nail it down in the future. > Doing more here may not help (Bjoern's point) and definitely costs. It might > be "worth a try", or not -- I'm not sure. What PRNG (Math.random? Hope not, > should not be correlatable) or RBG (Crypto.getRandomValues)? Has anyone > drafted a spec? We aren't using Go so we may not want to copy whatever it > does in detail. No spec yet - I was socializing the idea here first. Is your concern with correlation that authors (or libraries, rather) might attack the PRNG to predict the index, and provide an array wrapper that auto-corrects the starting index to 0? I'm not the right person to ask about what properties this would need, and how to most cheaply achieve it. ~TJ
Received on Monday, 2 September 2013 20:31:39 UTC