Mochabot log - CommonJS IRC channel: #commonjs on irc.freenode.net

2011-01-14:

[14:38] <ayalque> hello, newb here, was wondering if commonjs inhances JS' Array and adds functions to it and where are the docs of these inhancements if they exist
[14:42] <ayalque> hrmmf
[15:09] <Wes-> ayalque: CommonJS defines the subset of ES5 which is implementable in ES3; the array extras are part of that subset
[17:48] <ayalque> Wes-: Thanks!
[17:52] <ondras> Wes-: hm, in which standard/proposal/bikeshed/whatever ?
[17:56] <khs4473> Wes - you there?
[18:46] <Wes-> khs4473: am now
[18:46] <Wes-> oh, he's gone
[19:23] <khs4473> arg - so close to having secure sandboxed modules in the browser with script tags, yet so far...
[19:24] <khs4473> if only there were a foolproof way to associate executing code with a script tag (not just the nearest complete script tag)
[19:25] <khs4473> looking at the mozilla source to try and find something...
[19:32] <Wes-> khs4473: what's wrong kris zyp'
[19:32] <Wes-> khs4473: what's wrong kris zyp's algorithm?
[19:38] <khs4473> good for IE, but for others, an evil script could use setTimeout to run code just before the script tag executes. If I can't tell for certain that it didn't come from my script tag, it could get access to a sandboxed (private) loader and all the modules in it.
[19:39] <khs4473> Of course, an XHR loader wouldn't have that problem...
[19:47] <Wes-> khs4473: I believe your conclusion is incorrect
[19:47] <Wes-> khs4473: for non-IE browser, you can use the .src property with a closure to identify the module
[19:50] <Wes-> khs4473: take a look through the implementation in BravoJS, it's a pretty easy read
[20:09] <khs4473> maybe - let's say you have good.js and evil.js and they get eval'ed in adjacent turns of the event loop like this: (evil.js was not inserted by you)
[20:10] <khs4473> [0: evil.js, evil.js/onload] [1: good.js, good.js/onload]
[20:11] <khs4473> (The onload handler gets called in the same turn of the event loop as the script is eval'd)
[20:13] <khs4473> and evil.js declares a module that spoofs the "good" module and gets your bank account numbers or something.
[20:14] <Wes-> khs4473: wait, you want to write JS that two modules on the same page can't interfere maliciously with each other?
[20:14] <Wes-> that can't be done
[20:14] <Wes-> Object.prototype
[20:14] <Wes-> "I win"
[20:15] <khs4473> Ha ha ha! Fine!
[20:17] <Wes-> and before you get the bright idea to start playing name games: ({}).constructor.prototype === Object.prototype
[20:17] * Wes- has already been down this road with great dismay
[20:23] <khs4473> of course. thanks, wes - adios!

 

 

Logs by date :