Does ECMAScript2015's "import" keyword provide ambient authority to the filesystem?
20 views
Skip to first unread message
Mike Stay
Mar 16, 2017, 6:02:03 PM3/16/17
to Google Caja Discuss
Or is there some way to configure/intercept resolution of modules?
--
Mike Stay - meta...@gmail.com
http://www.cs.auckland.ac.nz/~mike
http://reperiendi.wordpress.com
--
Mike Stay - meta...@gmail.com
http://www.cs.auckland.ac.nz/~mike
http://reperiendi.wordpress.com
Mark S. Miller
Mar 16, 2017, 10:57:48 PM3/16/17
to Google Caja Discuss, Domenic Denicola, caridy, David Herman, Chip Morningstar, Dean Tribble
[+lots]
The current plan is for Realms https://github.com/tc39/proposal-realms/ to provide those hooks. The precise nature of these hooks has not yet settled down.
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Cheers,
--MarkM
--MarkM
David Bruant
Mar 17, 2017, 8:59:52 AM3/17/17
to google-ca...@googlegroups.com, Domenic Denicola, caridy, David Herman, Chip Morningstar, Dean Tribble
Le 17/03/2017 à 03:57, 'Mark S. Miller'
via Google Caja Discuss a écrit :
[+lots]
The current plan is for Realms https://github.com/tc39/proposal-realms/ to provide those hooks. The precise nature of these hooks has not yet settled down.
On Thu, Mar 16, 2017 at 3:02 PM, Mike Stay <meta...@gmail.com> wrote:
Given the question in the title is asked on the Caja mailing-list, I
assume the question is asked specifically about the JavaScript that
can be found on the web.
And the answer is no.
The ECMAScript spec defines the syntax, but leaves the loading semantics off of the ECMAScript spec itself.
To the best of my knowledge, the latest state of web browser agreement regarding how a browser will load a module is defined at https://whatwg.github.io/loader/ (but only implemented behind flags in browsers).
Even if the spec is still in flux, I doubt browsers will ever give access to the file system directly, so no worries there.
Then there is the question of the loading semantics of "import" in the Node.js runtime. That's a different story, with complicated ramifications.
I think the latest news on that front can be read at :
https://medium.com/the-node-js-collection/an-update-on-es6-modules-in-node-js-42c958b890c
Also, follow https://twitter.com/nodemjs and https://twitter.com/jasnell for news about this.
In any case, in Node, the loader will most certainly give ambiant authority to the file system, but that's not more than what the current loader ("require" function of CommonJS modules) provides.
And the answer is no.
The ECMAScript spec defines the syntax, but leaves the loading semantics off of the ECMAScript spec itself.
To the best of my knowledge, the latest state of web browser agreement regarding how a browser will load a module is defined at https://whatwg.github.io/loader/ (but only implemented behind flags in browsers).
Even if the spec is still in flux, I doubt browsers will ever give access to the file system directly, so no worries there.
Then there is the question of the loading semantics of "import" in the Node.js runtime. That's a different story, with complicated ramifications.
I think the latest news on that front can be read at :
https://medium.com/the-node-js-collection/an-update-on-es6-modules-in-node-js-42c958b890c
Also, follow https://twitter.com/nodemjs and https://twitter.com/jasnell for news about this.
In any case, in Node, the loader will most certainly give ambiant authority to the file system, but that's not more than what the current loader ("require" function of CommonJS modules) provides.
Or is there some way to configure/intercept resolution of modules?
As MarkM mentionned, there are plans to be hooks to intercept
resolution of modules. These obviously won't increase authority on
the web, but may help decreasing authority for the Node.js loader
(which I'm looking forward to).
Hope that helps,
David
Hope that helps,
David
----
Mike Stay - meta...@gmail.com
http://www.cs.auckland.ac.nz/~mike
http://reperiendi.wordpress.com
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Cheers,
--MarkM
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages