W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2014

Re: Fallout of non-encapsulated shadow trees

From: Brendan Eich <brendan@secure.meer.net>
Date: Tue, 01 Jul 2014 20:20:31 -0700
Message-ID: <53B37A7F.4010206@secure.meer.net>
To: "Tab Atkins Jr." <jackalmage@gmail.com>
CC: Domenic Denicola <domenic@domenicdenicola.com>, Edward O'Connor <eoconnor@apple.com>, WebApps WG <public-webapps@w3.org>
Tab Atkins Jr. wrote:
> On Tue, Jul 1, 2014 at 6:13 PM, Brendan Eich<brendan@secure.meer.net>  wrote:
>> >  Domenic Denicola wrote:
>>> >>
>>> >>  From: Brendan Eich [mailto:brendan@secure.meer.net]
>>>> >>>
>>>>> >>>  >    That is a false idol if it means no intermediate steps that explain
>>>>> >>>  >  some but not all of the platform.
>>> >>
>>> >>
>>> >>  Sure. But I don't think the proposed type 2 encapsulation explains any of
>>> >>  the platform at all.
>> >
>> >
>> >  Are you sure? Because Gecko has used XBL (1) to implement, e.g.,<input
>> >  type=file>, or so my aging memory says. That's "good enough" and it has
>> >  shipped for years, unless I'm mistaken.
>
> XBL is either type 3, or it's type 2 but weak/magical enough that it
> doesn't actually expose anything.

XBL can expose anonymous content via special API:

https://developer.mozilla.org/en-US/docs/XBL/XBL_1.0_Reference/DOM_Interfaces#getAnonymousNodes

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/Tutorial/XBL_Example
https://developer.mozilla.org/en-US/docs/XBL/XBL_1.0_Reference/Anonymous_Content

I'm rusty on this stuff; bz should correct anything amiss here.

>    Gecko does*not*  today  leak any
> internal details of<input type=file>, in the way that type 2 web
> components would leak; that would be a major security breach.

Right you are -- native anonymous content is special this way. But ES6 
proxies are used (albeit by C++ APIs):

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Language_bindings/XPConnect/XPConnect_security_membranes

So I question whether membranes *and* structured clones are required. 
SES uses membranes without cloning (wrapping, not cloning). This all 
seems doable in-JS with enough care and testing, including 
capability-leak detection. Proxies are awesome!

object-graphs.png

/be
Received on Wednesday, 2 July 2014 03:21:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:26 UTC