►
From YouTube: SES-mtg: Trusted Types, Insulating membranes
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
I'm
not
gonna,
tell
you,
but
I
just
have
a
reaction,
which
is
seemed
like
an
awful
lot
of
mechanism,
most
of
which
could
just
be
implemented
in
JavaScript.
The
one
exception
is
having
the
various
Dom
API
entry
points
in
force.
This
is
something
it
actually
has
to
be
implemented
in
the
browser
itself,
because
otherwise,
the
you
know,
there's
no,
you
know
it's
trivial
to
get
around.
It
could.
B
D
C
A
A
Right:
ok,
no.
D
C
C
C
D
B
So
they
have
trusted
HTML
and
trusted
script
and
trusted
script,
URL
and
trusted
URL
and
they're
just
different
species
of
things,
and
then
they
revise
the
the
Dom
API
so
that
you
can
flip
some
switch
I'm,
not
quite
sure
how
you
do
that
we're
at
at
which
point
it
will
not
accept
a
string
directly,
but
will
only
accept
one
of
these
and
extract
the
string
from
it.
Okay,
so
it's
essentially
branding
mechanism
and
and
then
and
then
they
go
into
this
long.
Complicated
thing
with
with.
B
Policies
and
with
some
kind
of
mecha
for
generating
taking
a
string
and
generating
one
of
these
trusted
type
objects
from
it
and
how
that
can
happen,
and
they
you
know
they
provide
essentially
a
callback
so
that
you
can
register
your
your
thing,
which
will
which
will
either
bless
or
or
transmogrify
strings
as
necessary
and
return
one
of
these.
And
then
you
do
an
initialization.
C
Before
before,
you
move
on
from
this
example
that
we
see
right
here
and
I'm
sorry
to
interrupt,
like
example,
two
okay,
because
they've
caught
my
eye
like
they're
returning
URL
dot
to
string
and
I
that
you
know
the
examples
are
completely
like
what
what's
the
magic
about
calling
the
URL
constructor
with
two
string.
I'm.
A
A
B
So
and
I've
only
read
this
at
a
surface
level,
myself,
so
you're
getting
a
fairly
amateurish
summation,
but
essentially
what
they're
doing
is
they're
providing
branded
wrappers
for
strings
and
then
in
a
set
of
of
a
I
guess
at
this
point,
four
different
types
which
they
have
defined
as
part
of
their
spec.
Okay.
So,
for
example,
like
trusted
HTML,
which
a
type
that
contains
a
string
and
is
somehow
brand
checkable
to
discern
that
that
this
this
object
is
a
one
of
okay.
A
C
A
global
already
that
it's
available
called
trusted
types
and
all
the
examples
actually
use
that
global
or
a
member
of
that
global
if
I
can
just
maybe
shorten
the
distance
I,
think
it's
kind
of
like
how
data
URLs
at
some
point
and
I
might
be
wrong.
But
at
some
point,
I've
noticed
that
in
certain
of
them,
at
least
in
Safari
at
some
point,
when
you
create
a
data
URL
from
a
page
and
you
try
to
somehow
transfer
that
string
in
consumed
from
another
page,
it
wouldn't
be.
A
C
B
B
B
B
C
B
B
Well
that
the
we
have
to
be
careful
or
do
you
use
the
word
user,
because
the
the
whole
point
here
is
mediating
between
two
different
species
of
user
there's,
the
user?
Who
is
the
person
who's
setting
up
a
page?
Who
is
concerned
with
protecting
themselves
against
the
threat
that
this
is
supposed
to
protect
you
against?
Okay?
And
then
there
is
the
user
who
is
creating
scripting,
which
is
going
to
go
on
that
page
which
might
want
to
use
the
Dom
API.
So,
okay,.
A
B
What
this
does
is,
this
is
essentially
saying
that
second
class
of
user
is
is,
is
restricted
in
their
usage
of
the
Dom
API
to
strings
which
are
created
by
passing
them
through
this
policy
mechanism
which
which
mints
a
a
new
one
of
these
trusted
type
objects
in
response
to
a
string
given
a
in,
and
in
this
case
the
user
of
the
first
type
can
provide
a
tighter
which
would
will
do
various
things
either.
You
know
only
allow
some
predefined
literals
or
not.
Let
you
do
it
at
all,
but.
B
A
B
C
B
B
It
just
seems
it
seems
needlessly
complicated
and
it
seems
like
it's
highly
specialized
to
the
the
the
Dom
API
when
I
think
it
would
be
cleaner
if
they
broke
it
into
a
you
know,
a
general-purpose
branding
mechanism
and
then-
and
here
is
the
use
of
this
branding
mechanism
that
will
be
observed
by
the
Dom
API,
but
instead
it
kind
of
it
bakes.
All
of
these
things
together.
So.
A
B
A
A
B
Haven't
read
this
closely
enough
to
have
it
developed
a
what
I
would
consider
an
informed
opinion
on
that?
My
my
sort
of
quick
take
is
that
this
doesn't
this
doesn't
open
up
anything
that
we
need
to
worry
about
other
than
just
you
know
once
again
making
me
already
over
complicated
Dom
API
even
more
complicated.
B
A
A
C
A
C
C
A
C
That
that's
what
I
would
like
to
think
that
this
can
be
helpful
for
because
that
seems
like
this
is
the
model
they're
trying
to
go
for
I.
Think
I
know
where
Google
felt
the
urge
to
actually
look
into
this,
because
they
were
pushing
the
web
compose
in
specs
and
with
web
components.
You
have
a
big
problem
is
that
most
of
your
DOM
is
created
from
Street.
C
C
It
was
only
recently
that,
when
the
template
element
itself
got
adopted
that
people
he
backed
their
template,
string
against
it
directly
to
generate
nodes
from
the
generated
output,
so
that
that
mechanism
requires
a
lot
of
trust.
On
behalf
of
like
what
elements
are
being
generated
in
this
approach
and
I
think
this
is,
you
know
one
one
pain
point
that
this
fact
is
trying
to
address
so
I'm
thinking
that
if
you
create
a
frame,
somehow
you
control
its
trusted
types
and
then
and
then
you
make
sure
that
everything
goes
through
trusted
types.
C
A
A
C
So
I
like
the
script
element,
they
showed
that
they
are
really
targeting
SRC
as
an
URL
from
which
a
script
can
come
and
and
the
fact
that
they
are
actually
using
the
uppercase
of
the
class
dot
SRC.
It
implies
to
me
that
they're
talking
idea
a
level
not
not
JavaScript
level.
So
it
seems
to
me
that
an
object
that
I'm.
A
C
Not
not
calling
an
instance
of
HTML
script
element
SRC,
but
rather
the
object.
You
know
IV
object,
implementing
the
interface
HTML
script
element
whenever
the
SRC
value
of
that
interface
is
being
set,
it
will
actually
be
a
sink
for
which
the
policies
will
be
enforced.
So
if
you
declaratively
by
by
means
of
navigating
to
a
page,
let's
say,
assign
the
SRC
of
a
script
by
having
a
Dom
element
be
a
script
tag
with
SRC,
then
it
will
hit
that
sink
as
well.
I
believe
so,
like
the
way
they
talked
about
it
yeah.
C
A
A
C
If
we
are
implementing
this
method
to
sandbox
on
the
current
site
from
you
know,
it's
being
served
remotely
with
trusted
type
enforcement
on
it,
that's
a
different
approach
altogether,
I
guess,
but
that
requires
that
any
SES
sites
would
actually,
you
know,
enforce
these
policies
on
their
own
pages.
Okay,.
A
So
so
Rodney,
so
let
me
just
take
a
simple
hypothetical
and
see
if
I'm
understanding,
but
if
we
want
to
create
a
confined
by
frame
where
we
use
Edler,
you
know
we're
running
SES
in
the
iframe.
So
so
all
the
JavaScript
is
taken
care
of,
but
we
want
to
give
untrusted
code
direct
access
to
the
Dom
nodes
of
the
iframe,
and
we
deny
to
the
OS
called
guest
code.
A
C
But
I
would
I
would
just
try
to
say
that
the
most
secure
approach
would
be
to
meant
to
you,
know,
take
over
trusted
types
and
and
close
them
up,
but
a
security
model
would
rather
actually
create
a
you
know,
glass
ceiling
on
what
is
allowed
to
be
trusted
so
that
you
can
still.
You
will
trust
the
types
API.
If
you
have
a
web
component,
that
is
trying
to
be
safe,
but
you
just
want
to
make
sure
that
when
additional
policies
come
in
they're
attenuated,
so
that
they
cannot
violate
the
containment
policies,
so.
A
Is
the
host
code
in
a
position
to
confine
the
guest
code
without
using
service
workers
at
all
and
seems
like
the
will
severe
answer
where
we're
not
trying
to
emulate
a
normal
environment
we're
just
trying
to
prevent.
It
seems
like
the
answer
to
that.
One
is
yes
that
we're
successfully
preventing,
without
using
the
inertness
of
templates
yeah
using
a
service
worker
I.
C
A
C
I'd
like
us
to
start
looking
into
this
cautiously
because
so
far
the
only
browser
that
seems
to
have
any
affiliation
with
it
is
chrome.
I
have
not
seen
except
you
know,
like
splashes,
that
chain
towards
ACMA
script,
like
the
tc39,
has
a
proposal
that
or
maybe
more
than
one
to
make
some
minor
modifications
so
that
trusted
types
can
can
actually
handle
certain
strings.
C
C
Right
so
so
it
seems
like
it's
having
traction
within
the
spec
bodies
and
it's
going
to
be
a
different
beast
like
it
cannot
really
complement
the
serviceworker
approach.
C
C
E
This
is
jf
here
the
idea
of
the
the
branding
mechanism
here
in
place
when
the
idea
of
branding
at
creation
and
having
those
those
think
all
those
consumer
validating
the
branding
is
something
that
we
do
in
Locker.
We
have
the
exact
same
mechanism
and
our
concern
is
to
defend
against
blobs,
which
can
be
turned
into
object,
URL
and
then
use
to
inject
JavaScript
into
iframes
into
window
location
and
and
escape
the
sandbox,
a
mechanism
that
we
have
so
the
problem
with
blob
is
the
API.
In
order
to
validate
the
content
of
them
is
async.
A
E
So
yeah
do
you
have
an
async
process
so
that
the
fact
that
it's
a
thing
it
means
that
we
cannot
validate
the
content
of
a
blob
at
the
moment
of
usage
inside
a
a
four
to
create
object.
You
are
your
I
ATI,
so
at
the
time
that
method
is
used,
we
need
to
be
in
possession
of
the
answer.
Is
this
content
safe?
E
E
Don't
we
we,
we
have
wrappers
or
membrane
or
proxies
around
those
objects.
Yeah,
we
don't
give
them
so
we
actually,
we
we
have.
We
whitelist
the
API.
So
if
something
new
comes
up
well,
we
don't
obviously,
by
default,
it's
not
supported
exposed,
and
on
top
of
that
we
do
have
a
specific,
alternate,
behavior
or
distortion
for
the
API.
Is
that
we
know
as
being
malicious.
A
A
E
There
are
various
concern
in
place,
where's
different
ways
to
deal
with
the
problem.
One
is
the
fact
that
the
sandboxing
in
an
our
system
is
multi-tenancy,
so
dumb
element,
it's
not
only
yet
to
have
a
system
mode
and
a
user
mode.
Is
we
miss
situation
where
we
have
a
system
mode
and
various
users,
so.
E
Bye-Bye
careful
analysis
we
come
up
with
the
conclusion
that
the
best
thing
we
could
do
is
implement
something
similar
to
the
iframe
semantics,
where
there's
an
area
of
the
page
that
represents
your
frame.
It's
your
it's
your
content
and
there's
a
very
strong
boundary
around
it
and
we're
the
only
data
that
comes
in
and
out
and
then
can.
The
Tigers
is
the
equivalent
of
the
structure
clone
or
the
save
data
passing
defining
defined
in
the
inter
specs
and
except
for
a
communication
between
that
sandbox
and
the
Dom
they
are.
E
You
know
you
what
we're
looking
at
patching,
the
dumb
we
can
patch
the
double
API
is
the
native
objects.
So
there's
things
we
can
do
at
that
level,
but
obviously
the
we
can
interfere
with
code
being
loaded
by
different
users
and
they
might
want
to
modify
their
prototypes.
So
that's
one
limitation
of
that
system.
E
The
other
one
is
is
the
membrane
approach
and
they
are.
We
have
various
types
of
membrane
and
the
approach
with
the
membranes
is
we
preserve
compared
to
patching
the
dog
would
preserve
the
semantics
of
the
dub
outside
of
the
sandbox,
and
we
have
an
alternate
behavior
inside
of
the
sandbox,
so
inside
and
and
performances
is,
is
good
for
the
places
where
this
has
been
done
with
care.
E
Our
places
where
we
use
a
more
automated
process
and
it
can
be
refined
and
and
accelerated,
but
yeah
I'd
be
interested
to
hear
about
any
other
approach
that
you're
exploring
and
then
we
can
share
also
the
different
systems
that
we
have
put
in
place.
We're
currently
re-evaluating
the
dumb
access.
There's
there's
always
been
the
idea
that
we
could
patch
to
them
and
then,
except
for
the
optimization
of
running
JavaScript
instead
of
a
native
code,
we
would
we
would
be.
E
Block
in
the
past
is
we
believed
at
one
point
that
we
needed
to
have
a
single
dub
element
visible
in
multiple.
What
we
call
what
multiple
realms
we
we're
moving
away
from
that
yeah.
It's
we've
I'm,
advocating
that
this
cat
model
is
not
sustainable
and
we
need
it
ends
up
having
forcing
us
to
introduce
for
lack
of
a
better
term,
same
origin
policy,
semantics
where
we
need
to
have
dumb
semantics
and
the
two
things
are
not
compatible.
E
E
Exactly,
except
for
the
body
and
document
and
head
which
we
fake
and
present
to
every
user,
so
every
set
box
on
the
page
believes
that
it's
acting
alone,
so
you
want
to
do
a
document,
that's
something
or
body,
that's
something
you
can
put
your
properties
on
it
and
nobody
else
will
see
it.
The
same
thing
with
the
you
know
something
else
we
do
for
window
in
the
global
in
in
a
realm,
but
we're
moving
a
whale
a
bit
from
from
what
we
were
we
started.
E
The
thing
I
just
wanted
to
mention
is
the
idea
of
trust
type
is
something
that
we
stumble
across
and
have
I've
created.
I
wish.
We
had
seen
the
specs
before,
because
and
I
think
our
implementations
are
too
far.
We
could
isolate
it
in
the
sub
module
and
I.
Have
this
idea
of
a
trusted
type
in
Locker
very
well?
Very
well
label!
E
C
C
I
just
glimpse
really
quickly,
while
I
was
listening
so,
but
maybe
this
Avenue
is
something
of
interest
generally
for
for
for
the
group
to
dig
in
a
little
bit
deeper,
any
any
advice
on
you
know
or
any
ideas
on
something
to
you
know
towards
that.
That
would
help
us
determine
whether
it's
a
Bible
route
for
us
to
explore
or
I,
don't
know.
A
A
E
Yes,
okay,
yeah
I'm,
talking
about
a
little
bit
literal
template
literal,
so
trust
a
type,
a
template.
It
will
have
a
I
believe
a
very
strong
value,
because
if
you
help
late
literalist
trusted,
then
you
could
run
sanitization
only
on
the
values
that
are
injected
in
your
template.
Literal,
if
it's,
if
it's
already
trusted
and
trusted,
doesn't
have
it.
We
we
just
like
pure
modules,
pure
modules
can
be
in
our
system.
E
Can
the
equivalent
of
pure
module
can
be
attained
by
carefully
vetting
code
and
saying
that,
yes,
this
only
produces
fresh
or
frozen
data,
and
we
don't
have
neither
the
the
mechanism
of
the
pure
module
for
for
templates.
It's
possible
to
I
could
imagine
the
system
where
a
carefully
vetted
template
strain
would
dramatically
accelerate
performance
by
reducing
the
amount
of
HTML
sanitization
that
needs
to
happen.
Did.
E
E
A
E
E
A
Four
modules
that
whose
exports
are
pure
and
that
only
consume
pure
imports,
we
would
also
like
multiple
guests
to
be
able
to
jointly
use
the
abstractions
that
those
modules
define
again
without
identity
discontinuity.
So
if
a
module
defines
a
pure
class,
we
would
like
to
be
able
to
load
the
module
through
the
shared
root
loader.
A
The
share
this
is
a
shared,
pure
loader,
so
that
multiple
compartments
can
both
end
up
make
it.
You
know
accessing
that
class
by
import,
create
instances
and
not
have
identity.
Discontinuity,
yes,
is
the
to
do
that.
We
need
to
know
that
the
exports
of
the
module
are
pure
and
that
it
only
needs
to
import
pure
things.
E
Yes,
well,
it
depends.
You
know
it
depends
on
the
security,
the
the
goal
and
and
the
starting
point.
So
if
we
say
that
those
different
realms
don't
need
to
share
higher
order
order,
object
anything
else
that
is
not
data,
anything
that
is
not
DIF
as
defined
in
this
serializable
object.
They
don't
need
to
share
anything
as
they
don't
they
don't
need
to
share
a
class.
We.
A
E
B
C
There's
a
different
angle
of
this
that
I'd
like
to
also
address
during
today's
call,
if
possible
so
so
same
boxing
with
policies
works
really
well
for
an
SBA
that
does
not
navigate
right.
Sp,
a
yeah
like
single
page
application,
okay,.
A
C
E
The
other
side-
yeah,
yes,
well,
you
know,
if
you
have
a
single
page,
app
and
use
iframes,
you're
gonna
boo,
these
iframes
all
the
time,
every
patient
abrogation
and
the
page
that
you
go
or
virtual
page
you
go
to
because
you're
going
to
render
things
and
in
the
Dom
the
Dom
will
change.
Well,
if
you
maintain
compartment
and
the
compartment
are
not
necessarily
tied
to
a
Dom
element
like
an
iframe,
do
these
can
exist
and
persist
between
pages,
so
the.
E
C
Sorry
yeah,
like
I,
was
actually
muted
when
I
was
asking
so
I
know
for
an
SP
a
you
know.
You
have
this
I
if
you
use
them
iframe
or
if
you
use
a
container
for
the
different
routes
of
your
page,
you
can
maintain
a
single
stage
as
you
navigate
through
the
different
pages
which
which
allows
you
to
initialize
ones,
things
that
are
shared
between
your
views.
C
As
long
as
your
remote
is
able
to
catch
URLs
and
and
and
you
know,
I
passed
them
all,
you
know
what
was
the
word
masquerade
them
against
the
single
entry
point
on
the
ith
remote
right,
whereas
I
think
what
I'm
concerned
here
is
that
how
you
translate
this
mobility
to
a
non
espy,
a
site
other
than
actually
doing
fetches
and
emulating
an
SBA
approach
from
from
real
content?
And
so
I
was
just
asking?
C
C
I'm,
just
thinking
that,
if
containment
is,
you
know
initialized
differently
between
when
you
navigate
from
one
view
to
the
next,
because
you
have
to
manually
or
you
have
to
have
a
mechanism
where
you're
initializing
containment
on
every
page,
and
you
want
to
make
sure
that
it
does
not.
Yet
you
know
nothing
executes
before
the
containment
initializes.
As
you
move
from
one
page
to
the
next
chances,
are
you
will
fit?
C
E
Yes-
and
this
is
one
of
the
reason
why
we
favor
more
model
of
async
communication
between
these
containers,
so
so
the
context
we
are
in
is
is
it's
very
the
the
sandbox
and
we're
doing
is
very
tied
to
our
application
architecture,
which
is
basically
something
that
you
would
use
with.
Drupal
you
would
use
with
WordPress
Wix
is
you're
dragging
on
the
page.
E
Higher
order,
components
that
represent
an
experience
or
an
activity
and
those
are
those
could
be
iframe,
but
in
our
case
we
don't
use
our
frame
and
so
yeah
you're
right.
The
behavior
could
be
different
depending
on
how
the
page
where
they
appear
on
the
page
and
what
order
they
load
and
they
do
they
do
because
some
of
those
things
do
appear
on
multiple
pages
and
the
pages
could
be
different,
so
we
could
have
a
sidebar
widget.
That
is
a
weather
widget.
E
A
E
Though
I
would
say
that
with
the
way
the
web
is
these
days,
I
don't
think
it
has
gained
enough
traction.
This
is
still
ill
appeal
battle,
so
we
have
ways
to
design
it
before
it
actually
becomes
the
target
for
security
reviewers
to
say
you
know
you
have
to
come
up
with
a
mechanism
to
defend
against
to
it
party
library
right
there.
D
E
A
there
was
a
tweet
that
I
really
like
from
Brandon.
It
was
mentioning
you
know.
Somebody
was
too
was
tweeting
to
Brandon
that
we
should
have
never
done
out
third-party
scripts
on
the
web
and
and
the
the
response
somebody
said
well.
Mark
Sorrell
will
solve
the
problem
and
and
Brendan
was
responded
to
that
and
he
said
yeah.
That
will
great.
That
would
be
great
added
if
we
add
the
next
thing,
which
is
a
mechanism
for
a
third-party
script,
to
not
run
as
first
party
right.
A
You're
you,
you
want
to
give
different
libraries
different
Authority,
but
also
clearly,
libraries
are
not
like
you
know:
iframes
they
can
that
are
content
to
speak
to
each
other
through
post
message.
They
need
object,
object,
interaction,
yes,
together,
I,
think,
and
and
and
now
you
know,
library,
a
and
B
can
both
be
using
library
C,
where
a
and
B
are
also
given.
You
know
a
B
and
C
are
each
given
different
authorities.
Yes,.
E
So,
exactly
and
and
and
this
this
this
is,
we
can
look
at
the
app
architecture
as
different
layers
and
different
scale
of
things.
So
what
do
we
talk
about
the
containment
of
the
Wix
page,
for
example?
This
is
really
high-level,
large
experience
component
that
I
dragged
on
a
page
and
and
the
communication
now
what
happens
inside
one
of
these
containment
as
if
it's
open
for
programmatic
access,
so
a
development
wants
to
do
something
and
their
collaborate
in
it.
Then
this
is
where
we're
going
to
the
system
we
who
you're
talking
about
and.
A
E
We've
been
working
on
some
very
interest:
ding
model
import
model
or
code
sharing
example
between
because
on
our
platform,
what
we
say
is
code
should
be
isolated.
So
two
actors
on
the
page
should
never
see
code
for
each
other,
but
there
are
cases
where
this
is
desirable.
Somebody
in
an
arc
and
then
in
a
website,
might
be
able
to
install
a
library
and
then
wants
to
use
that
library
in
their
in
their
program
with
programmatic
access,
so
we're
working
on
those
finer
grain,
mechanics
security
mechanism.
So.
E
A
You
know
separate
web
things
that
each
of
whom
think
they're
in
their
own
iframe,
those
don't
for
for
those
you
don't
need
to
avoid
identity
discontinuities
even
for
the
primordial
x'.
As
far
as
their
interaction
with
each
other
is
concerned,
you
can
just
give
them
their
own
separate
root.
Realms
you
don't!
Even
so
you
don't
need
it
yes
or
get
arguments
at
all.
You
just
need
creation
of
separate
root
level.
Yes,.
A
E
Performance
because,
first
of
all,
we
can
have
one
set
of
JavaScript
objects
everywhere,
like
I
mean
to
say,
table
7,
we
freeze
those
think
we
share
them,
and
so
all
data
or
JSON
object
or
anything
that
needs
to
travel
date,
can
be
safely
passed
between
those
compartment
without
having
identity.
Discontinuity,
give.
E
A
E
Cases
we
will,
but
in
some
cases
we
can
vet
that
the
code
actually
generates.
As
as
you
you
know,
to
use
your
common
approach,
you
say
if
it's
not
frozen
or
fresh,
it's
rotten.
Yes,
in
some
cases
we
have
API.
Is
that
duplicate
data
before
sharing
them
and
presenting
it
in
each
compartment
in
other
areas?
It
just
simply
freezes
to
data.
Okay,.
A
E
E
So
when
the
when
it's
the
participant,
when
it's
the
people
that
we
bring
to
the
platform,
we
do
not
use
a
shortcut.
The
so
called
shortcut
with
code
review
and
and
enforcement
of
security
guidelines
for
this
no
limited
carefully
vetted
code
for
the.
If-
and
this
is
where
the
pure
module
and
the
resource
module
come
into
play,
you
evaluate,
or
you
have
a
pure
module,
and
that
would
be
for
third-party
scripts
for
other
things
that
are
in
the
page.
Okay,.
E
A
E
E
A
A
E
Yes,
yes
and
no
I
think
the
in
in
the
way
we
say
pure,
we
say
pure
data
and
pure
pure
Marshall
right.
So
there
are
we've
been
we've
been
using
that
TT
terminology
and
we
find
that
using
pure
data
is
also
an
interesting
concept
when
to
submit,
because
other
things
I've
been
have
been
used
to
say
it's
instead
of
pure
later
it's
it's
inert
data,
it's
a
clone
data
and
all
of
that,
so
in
order
for
the
source
of
the
data
can
be
shared
right.
E
E
E
E
Yes,
that's
that
is,
are
we
going
to?
Yes,
we
currently,
we
just
launched
a
new
platform,
the
lightning
web
component,
and
when
we
were
doing
the
secret
review
last
summer,
when
we
started
working
on
the
roads,
I
was
mentioning
that
you
know
we
need
to
define
in
the
realm
what
the
behavior
of
import.
We
realized
that
putting
code
between
those
compartment
was
putting.
Those
component
into
a
communication
was
difficult,
so
we
decided
to
disable
it,
and
so
it's
not
allowed
currently,
so
users
don't
have
a
mechanism
to
talk
to
each
other
yeah.
So.
E
We're
working
for
the
term.
Currently
we
the
way
that
the
system
has
been
implemented.
There's
been
a
semantic
slippage
in
the
sense
that
code
is
defined
in
something
called
a
namespace,
so
every
user
to
gets
in
a
namespace
and
they
put
their
code
in
the
namespace
and
and
when
the
compartment
are
created.
The
original
system
that
was
designed
is
each
Locker
is
for
each
namespace
as
a
locker
created
and
all
code
defined
in
the
locker
in
a
namespace
executes
in
the
locker
associated
with
that
namespace.
E
So
that
was
the
original
design.
So
the
code,
the
semantic
definition
of
the
code,
its
location
of
where
it's
defined,
determine
where
it
executes,
and
so,
if
I
have
a
jQuery
component
library
running
in
the
jQuery
namespace
and
executing
a
jQuery
compartment,
and
if
I
have
a
underscore
library
it
orange
I
would
executed
and
underscore
compartment.
Now.
E
E
E
A
A
E
E
E
Devil
done
before
and
we
were
implementing
those
rules
currently
and
it
did
its.
Its
bait
basically
will
resolve
a
lot
of
problems
that
developers
have
currently.
It
means
that
what
we
will
base
the
system
is
on
a
mutual
trust
system.
So,
if
alice
has
written
some
code,
that
Bob
wants
to
use
Hollis
has
to
make
her
first
her
code
available
by
our
mechanism.
E
She
must
say
I'm
allowing
people
to
import
my
code,
because
some
people
might
not
work
that
on
and
of
all
the
players
on
the
page
and
bob
has
to
say
more
than
just
an
import,
it
has
to
say
in
his
in
his
package
definition
that
he's
is
is
agreeing
to
import
from
Alice
and
then
any
import
statement
can
then
function
for
importing
from
Alice,
and
that
prevents
accidental
mistake.
Where
you
know
some
some
code
could
execute.
E
E
So
there's
a
that
led
us
to
have
a
clear
from
the
original
model
to
have
a
clear
distinction
between
this
large
unit,
which
our
execution
context
and
our
for
the
wicks
like
you
drag
something
on
the
page,
you'll
try
you
build
those
experience
components.
So
that's
one
use
case
and
the
other
use
case,
which
is
programmatic
access,
and
then
then
you
have
those
rules
for
making
for
import
and
all
of
the
work
that
we
did
with
with
you
with
the
reflection
around
cure,
module
and
Lisa
authority
are
going
at
that.
E
E
A
A
A
E
A
E
Now,
with
pure
module
in
the
fact
that
you
can
probably
define
something
that
can
even
be
loaded
and
evaluated
outside
of
any
realm
in
there,
in
the
say,
the
route
leave
the
route
realm
is
window.
If
the
window
is
prepared
in
a
given
way
that
it
abides
to
to
the
an
immutable
frozen
realm,
then
you
can.
We
can
you
can
envision
using
script
tags
to
basically
load
code
of
frozen
or
few
modules
in
that
environment
without
any
any
confinement?
E
And
then
you
could
potentially
get
the
benefits
of
by
code
caching,
which,
if
you
have
to
use
any
evaluator
you
you
you
don't
have
currently
browsers,
don't
see.
It
seem
to
support
this
case
very,
very
well.
So
there's
you
know,
there's
something
it
I
think
it's
going
in
the
right
direction
using
a
term.
It's
like
all.
The
stars
are
starting
to
align
on
a
few
thing
when
we
work
at
that
level
and
the
amount
of
work
that
will
have
to
do
for
to
make
the
browser
natively
support
that
model
is
is,
is
becoming.
E
A
E
A
A
B
E
We
would
I
would
love
to
you
know
by
by
having
the
higher
level
container
of
the
page,
we'd
love
to
bring
them
closer
to
the
iframe,
so
that
given
developer,
could
more
easily
switch
between
an
iframe
and
a
a
locker
depending
on
what
suits
best
for
them
and
in
terms
of
what
is
supported
by
Locker.
What
can
be
cannot
be
supported
by
Locker
due
to
technological
limitation,
so
yeah,
so
looking
at
that
just
to
make
these
two
environment
more
the
same.
E
It's
it's.
There
I
think
it's
a
license,
just
a
licensing
comment
that
needs
to
go
through,
but
we're
getting
more
people,
so
we
might
be
able
to
block
that
we
just
I
was
just
so
busy
with
the
the
items
have
been
discussing
about
this
there's
a
new
mechanism
of
co-chairing
that
we
moved
it
exploring.
E
E
Don't
don't
matrix
change
there
I
think
it
wasn't
a
good.
Last
time
we
talked
it
wasn't
good
enough
position,
there's,
obviously
the
older
documentation
that
needs
to
be
updated.
A
few
license
file
but
I
think
it's
yeah.
It's
unless
you've
seen
something
there
I
think
it's
in
a
good
good
position.
Yes,.
A
E
Does
detect
that?
Yes,
yes
exactly
it
doesn't
it
doesn't
have
the
capita
mechanism
for
import
basically,
and
it
also
doesn't
have
the
what
I
call
the
bleach
that
you're
doing
on
the
telescope
API.
So
the
I
think
you
called
it
out
what
I'm
cleaning
so
removing
the
extra
property
from
the
language
we
don't.
We
don't
have
that
in
there.
Okay,
okay,.
A
E
A
Can
you
can
those
those
are
quite
abusable
and
you
know
there's
other
things,
but
in
any
case,
that's
that's
fun
as
we
reconcile
our
systems
we'll
get
all
that
together
and
we've
done
all
the
cleaning
in
such
a
way
that,
for
each
thing
that
we
remove
the
there
is
an
option
not
to
remove
it
so
that
we
want
to
basically
have
all
the
differences
between
what
you
guys
need
or
what
we
need
on
configurable
with
options
so
that
we
can
end
up
reconciling
on
one
source
stream.
One
repository
there's
all
of
our
needs.
Well,.
E
A
E
A
E
You
know
it's
a
lot
more
material
that
I
could
absorb
over
the
past
few
months,
but
it's
I
think
it's
going
the
right
direction
and
also
what
what
I
like
is
it
it's
all
built
in
its
it?
The
code
is
sufficiently
independent
of
the
realm
and
the
freezing
and
the
cleaning.
So
all
of
those
things
are
when,
when
you
get
in
one
scope
or
one
set
of
concerns
you
you
can
forget,
so
you
get
into
cleaning,
you
can
forget
about
freezing
your
heartache,
so
yeah,
so
that
that's
also
we've
all
done
on
that
point.
A
A
So
the
so
nice
thing
is
that
you
can
populate
these
namespaces
with
the
the
modules
describing
their
impregnates.
You
can
populate
the
namespaces
to
wire
them
in
any
order
and
then
once
it's
fully
populated
then
check
that
all
the
imports
and
outputs
are
correctly
mapped
to
each
other.
Basically,
you
you,
you,
you
create
the
modules,
then
you
link
them
together.
A
Right
now
it
is
not
the
the
actual
mechanism
that
I've
created
allows
enables
you
to
give
each
individual
module
its
own
namespace,
namespace
and
boat
in
both
sentences
that
we
just
sense.
As
we
just
talked
about
you
and
you,
each
module
is
turned
in
from
a
static
module
to
a
module
instance
to
get
from
a
static
module
to
a
module
instance.
A
You
give
it
any
there's
a
you,
give
it
an
a
realm
evaluator,
so
an
evaluator
that
takes
a
source
string
and
an
endowments
awesome.
So
exactly
the
evaluator
that
we
get
from
our
realm
API
and
you
give
it
an
an
object
to
be
populated
by
other
module.
Instances
has
a
namespace
to
go
from
that
modules.
Local
specifier
names
to
other
module
instances
so
populating.
That
is
where
you
express
all
of
the
linkage
in
white
rewiring
parts
right.
E
A
The
temporal
dead
zone
is
not
quite
right
and
within
the
overall
goals,
in
order
to
have
an
efficient
translation
that
does
not
rewrite
a
function
text
at
all.
That's
the
other
thing
is
that
the
function
text
is
not
rewritten
at
all.
It's
pretty
completely
preserved,
so
a
two-string
on
a
function
gives
you
back
original,
exactly
the
source
code
that
the
user
read.
A
A
If
module
X
imports
a
for
module
Y,
then,
if
a
dereferences
X
before
the
exported
X
binding,
has
been
initialized,
then
you're
supposed
to
get
a
reference
error,
there's
no
way
to
emulate
that
efficiently,
with
a
non
invasive
rewrite.
So
instead
that
case,
specifically
that
case
I
will
give
you
back
an
undefined.
If
you
read
the
variable
early
rather
than
a
reference
there,
okay
and
I,
you
know
I
considered
that
to
be
within
the
overall
goals
that
one
when
I
was
willing
to
sacrifice
yeah.
A
D
For
me,
the
for
rewriting
the
the
the
only
thing
I've
tried
to
do
is
reduce
instrumentation
around
eval.
That
seems
to
be
the
tricky
one.
Import
is
necessary.
Eval
is
the
one
that
hasn't
really
worked
out.
I
have
worked
with
Saleh
to
look
at
how
he
approaches
it,
but
I
haven't
had
time
to
implement
that.
Yet.
D
D
Through
a
couple
different
ways,
I
try
to
leverage
the
the
the
built-in
behaviors
were
possible
else.
I
instrument
to
simulate
the
temporal
dead
zone,
but
I
define
my
value,
my
bindings
with
let
so
if
you
were
to
also
do
like
a
constant
later
on,
then
it
would
blow
up
I
instrument.
I,
do
a
parsec
to
make
sure
you're
not
assigning
directly
to
the
bindings
which
with
which
throws
the
appropriate
errors.
If
you
do
because
I
wrap
an
instrument
to
detect
assignment
mm-hmm,
so
yeah
I
throw
all
the
appropriate
errors.
D
D
Yeah
I
do
I
mean
like
I
I
have
a
if
it
is
an
assignment.
I
basically
have
a
function
that
I
wrap
around
the
assignment
and
then
pass
the
value
of
the
assignment
through
just
in
case
it's
needed,
and
there
I
can
do
some
checks
on
some
things.
Mainly
I
use
it
to
signal
to
the
getter
setters
that
they
there
has
been
an
update
for
a
possible
update,
and
then
it
triggers
all
of
that
that
machinery,
okay.
D
A
Right
right,
yeah,
the
the
the
thing
that
you
know
motivated
a
lot
of
my
approach
was
paregoric,
we've
repeatedly
gotten
screwed
up
by
rewrites
introducing
semantic
differences,
while
rewriting
the
rewriter
assumed
it
wouldn't
induce
well
combined
with
lack
of
documentation.
So
we
could
not
know
so.
Suddenly,
our
security
properties
depended
on
preserving
semantics.
When
the
rewriters
would
not
state
what
semantics
they
were,
guaranteeing
to
preserve
yeah.
D
Minor,
the
the
Reaver,
it's
pretty
basic,
it
just
does
a
wrapping
around
the
assignment,
so
so
far,
I
haven't
run
into
problems.
I
haven't
run
into
rewrite
problems
in
a
while
I
also
run
it
through
tests,
262
and
all
of
that.
Well,
justjust,
the
import,
stuff
and
I
haven't
run
into
any
weird
behaviors
there,
either
so
yeah
yeah,
okay,
great.