►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
C
I
have
very
early
updates
on
the
service
work
that
quotes
for
containment.
Oh
great.
B
B
Hear
about
that,
and
so
my
topic
is
essentially
a
continuation
of
the
conversation
we
had
last
week.
I
found
the
conversation
last
week
tremendously
helpful
and
getting
me
started
in
a
good
direction.
I
still
don't
have
running
code,
but
I've
got
in
getting
code
has
worked
out
as
I
have,
for
what
I
have
in
mind
for
a
safe
module
system
learned
a
lot,
it's
actually
quite
different
than
the
code
I
showed
last
week.
I
think
it
has
some
very
clear
properties,
some
of
which
are
a
bit
surprising.
B
A
B
A
B
Yeah,
there
are
some
things
that
are
awkward
making
about
the
ACMA
script:
module
system
that
are
preserved
in
SES
but
banned
in
Jesse.
So
a
pure
Jesse
module
system
instead
of
SES
modules
they
are
allowed
directly
by
Jesse.
Don't
have
the
particular
things
that
made
this
so
weird
those
others
mentioned.
Those
things
are
live,
findings
and
disability
of
temporal
deadzone,
especially
under
cycles.
C
Make
a
note
that
I
do
want
to
talk
about
the
at
some
point
later
on
and
my
findings,
because
those
were
the
two
things
like
actually
my
bindings
was
the
one
thing
that
I
really
thought
required
a
little
bit
more
in
this,
but
I
think
you
know
there's
a
discussion
about
how
it
is
naturally
handled
by
the
encapsulation
model.
B
C
Yeah,
well,
it's
a
little
bit
to
actually
talk
about
the
same
browser.
Free
I
just
haven't
vacation
that
I
made
me.
You
know,
exercise
the
different
aspects
of
their
service
workers
that
will
affect
the
design
of
the
container
and
based
on
that
basically
I'm
doing
where
our
browser
inconsistencies
will
be
troubling
and
where
potentially
the
service
worker
spec
can
actually
leverage.
C
You
know
assistance
making
this
a
much
much
more
palatable
experience,
so
so
what
you're
seeing
here
is
basically
an
iframe
backed
by
a
service
working,
so
it's
kind
of
like
a
mini
browser
and
it
uses
a
concept
that
extends
on
the
idea
of
scopes,
we're
in
a
service
worker
model.
You
have
a
service
worker,
that's
a
separate
thread
that
executes
for
a
particular
scope
and
then
my
approach
for
for
encapsulating
you
know
on
another
domain
is
basically
to
put
it
inside
a
subsequent
of
the
containers.
B
Me
ask
a
question
already
because
I'm,
not
you,
know,
I
much
more
ignorant
on
the
web
side
of
things
that
I
am
on
the
JavaScript
JavaScript
side
things
this
notion
of
a
scope,
yeah,
so
I
know
what
the
browser
notion
of
an
origin
is,
or
and
actually
a
little
bit
unclear
of
a
difference
between
origin
host.
So
you
probably
don't
need
to
go
into
that
from
when
you
were
highlighting
things.
B
C
So
the
idea
from
that
comes
specifically
from
the
ocean
that,
for
security
purposes,
a
service
worker
that
is
found
in
this
folder
should
not
have
reach,
except
where
the
folders
that
are
at
this
level
or
below
it.
So
this
is
where
the
idea
of
scope
came
from.
They
said
you
know.
If
a
domain
is
shared
on
multiple,
you
know,
services
security
would
be
required
that
the
service
worker
does
not
reach
over
its
own
parents
cool,
so
so
scope
is
kind
of
like
an
origin
with
a
little
bit
of
a
path.
C
You
know
a
few
directory
like
like
which,
wherever,
wherever
you
said
to
school,
the
spec
says
that
the
service
worker
should
be
able
to
intersect
any
you
know
any
such
operations
for
that
scope
or
below
it.
As
long
as
the
page
registered,
the
oldest
worker
is
either
endemic
scope
or
there
is
requesting
from
that
scope.
Oh.
B
C
That
is
what
I
want
to
find
out
next
week
because,
like
that
would
be
very
much
thinking,
but
it
might
actually
like,
like
last
week,
I
had
a
surprise
where,
if
my
page
was
real
and
my
page
requested
something
here
and
since
it
was
under
the
photo,
it
actually
allowed
the
sweetest
worker
to
intercept
this
request.
So
that
was
a
surprise.
It
was
unexpected
and
the
next
surprise
which
I'm
hoping
for
which
will
confirm
next
week,
is
whether
or
not
if
this
page
here
can
access
another
domain
completely
and
still
hack,
serviceworker
interception.
Yeah.
B
That
was
one
of
the
things
where
I
felt
like
we
needed.
A
fundamental
change
is
my
understanding
without
having
ever
tested
or
investigated.
Very
much
was
that
service
workers
were
essentially
trying
to
be
a
local
emulation
of
what
would
be
a
remote
server
at
an
origin,
and
therefore
only
requests
to
that
origin
would
go
to
any
particular
service
workers,
which
makes
it
useless
trick
and
fun
makes
it.
You
know,
makes
it
by
itself
useless
for
confinement,
but
if
we
can
actually
intercept
all
requests
from
the
page,
that
would
be
wonderful,
yeah.
C
Just
workers
were
supposed
to
be
I,
get
the
serviceworker
from
Google.
You
get
access
to
Google
things,
because
I
have
a
particular
API
privilege
that
allows
my
domain
to
do
certain
things
with
the
googly
and
Google
wanted
to
get
to
that
point
where
you
are
giving
people
a
worker
for
your
domain
to
use
on
here
to
make
ad
the
client
side.
That
was
really
the
idea,
but
but
everything
you
know
at
that
level
was
basically
clipped
gradually
out
of
the
out
of
the
spec
as
it
became
a
lacrosse
deck
and
I
was
surprised.
C
You
see
that
it
was.
It
was
able
to
pierce,
at
least
within
this
same-origin
singles.
You
know
a
little
surprising
for
me,
so
the
second
thing,
though,
is
that
they
are
clean.
They
don't
always
catch,
and
you
cannot
generally
depend
on
the
fact
that
the
spec
says
something
will
be
available
for
you
to
depend
on
and
note
that
all
browsers
will
actually
conform.
B
B
Why
don't
I
say
a
few
words
about
sort
of
in
general?
What
we're
trying
to
accomplish
here
and
then
let's
take
questions
from
everybody
else
until
we're
all
sort
of
in
sync
on
what
we're
trying
to
accomplish
here
so
in
in
kaha.
As
the
first
time
we've
tried
to
do
something
object
capability
like
for
general
web
content.
B
So
in
John
and
kaha,
we
did
that
by
wrapping
the
DOM
and
therefore
having
to
emulate
the
entire
Dom
API
in
our
wrapper
and
by
wrapping
give
the
confined
code
access
to
a
dom
subtree
a
sub
created
the
genuine
Don
that
was
mapped
to
a
virtual
iframe,
so
they
looked
I
frame
like
and
as
well
as
virtualizing.
All
the
other
browser
locals
xmlhttprequest
in
particular,
so
the
whole
browser
API
to
JavaScript,
combined
with
we're
rewriting
the
HTML
and
rewriting
CSS,
which
I'm
not
going
to
touch
on
work
day
unless
it's
relevant.
B
B
A
B
So
it
started
off
I
believe
as
just
an
internal
function.
You
know
a
specification
fixture
so
that
the
specification
was
refactored
so
that
all
the
things
that
needed
to
go
to
the
network
went
through
an
internal
function
on
the
way
to
the
network,
and
then
there
was
also
a
new
API
that
was
added
to
browser
API,
essentially
a
rapid
of
XML
HTTP
request.
That
is
a
fetch
function.
B
But
that's
not
the
answer
to
the
that's,
not
the
one
that
I
mean
because
the
fetch
function
that's
made
visible
is
one
of
the
routes
to
the
internal
fetch
function,
but
the
but
but
for
example,
replacing
the
visible
effect
function
with
something
else
does
not
intercept
the
fetches
that
are
generated
by
the
Dom.
So.
B
B
But
what
got
but
just
like
replacing
HTTP,
XML
HTTP
request
with
the
safe
wrapper,
doesn't
change
the
Dom
behavior
reflection,
replacing
the
visible
binding
of
the
global
fetch
with
a
safe
wrapper
does
not
change
the
Dom
behavior.
However,
there
is
this
serviceworker
mechanism
that
we're
exploring
that
does
allow
you
to
intercept
some
fetches
under
some
conditions
and
what
fetches
it
enables
you
to
intercept
under
what
conditions
is
something
that
we're
still
trying
to
pin
down
so.
A
B
Yes,
that's
perfect
example,
so
con
did
all
of
this
by
complete
intermediation
between
the
confined
JavaScript
code
in
the
genuine
Dom,
and
that
intermediation
understood
all
of
the
contexts
in
which
text
that
was
a
URL
was
being
passed
through
in
such
a
way
as
to
cause
network
access,
and
we
had
a
HTML
rewriter
that
would
remap
all
those
names.
However,
the
creator
of
that
confinement
box
wanted
to
do
it,
so
you
can
think
of
it
as
an
MMU
for
for
addressing
the
wet,
mrs.
Kincaid,
you
could
do
whatever
remapping
of
the
namespace.
A
C
B
Kaha
is
now
maintained
only
in
the
20%
time
of
Kevin's,
so
the
kaha,
the
SES
in
kaha,
is
really
atmospheric.
Five
voyant,
it's
not
up-to-date
with
modern
JavaScript,
which
is
why
gorrik
and
Salesforce
did
this
interesting
effort
to
rebuild
cob
servers
really
read
ses
from
scratch
for
modern
JavaScript.
B
Regarding
the
browser,
api's
kaha
does
not
know
anything
about
web
components.
It
has
no
notion
of
shadow
Dom
trees
or
anything.
There's
an
of
an
interesting
history
there
that
I'll
just
touch
on
which
is
when
web
components
started.
It
looked
like
it
might
be
a
way
to
get
a
security
mechanism
directly
into
the
browser
that
allowed
kaha.
It
would
have
allowed
Cox
who
used
the
security
mechanism
directly
to
avoid
the
need
to
wrap
the
Dom,
because
essentially,
what
we're
doing
by
putting
a
layer
in
front
of
the
Dom
is
very
much.
C
B
No
longer
know
the
shadow
Dom
weren't
well
enough
to
understand
the
question
yeah.
Well,
this
yeah.
Let
me
just
just
put
the
history
to
rest.
That
effort
failed.
The
the
people
do
some
of
the
people
doing
the
shadow
Dom
work
were
interested
enough,
we're
not
interested
and
they
wanted
to
ship
something
on
a
timetable
such
that
it
just
didn't
happen
in
a
way
that
provided
us,
what
we
need
for
security,
so
caught
self
basically
is
stuck
in
what
is
mostly
an
HTML
HTML
for
understanding
of
the
breadth
of
the
Dom
in
browser.
C
C
So
I'm
just
showing
here
because
since
we
talked
about
fetch
being
you
know
the
central
core,
yeah
central
waiting
for
all
the
tests,
that
the
browser
will
make
I'm
just
really
just
needs
the
spot,
because
our
useful
workers
and
a
frames
is
in
order
for
us
to
enforce
CSV,
to
prevent
unauthorized
requests
and
the
fact
that
we're
using
service
workers,
we
are
going
to
be
intersecting
requests
that
will
be
one
of
and
one
of
those
types
of
destinations.
So
this
table
is
really
the
overlap.
C
Is
all
the
things
were
working
on
so
so
just
very
quickly.
You
know
document,
there's
two
of
them
because
I
believe
what
happens
here
is
when
you
get
in
country
yeah.
So
it
says
right
here.
If
there's
an
iframe,
you
could
have
a
CSP
prevent
limits
which
URL
an
iframe
can
load
on
your
page,
but
there's
also
a
second
document
which
is
really
from
the
iframes
perspective.
It's
making
a
document
request
as
a
navigation
request
and
I'll
clarify
it,
because
it's
very
important,
so
there
aren't
four
modes
of
requests.
C
C
This
one
is
metal,
regular,
mulch,
apoE
exhaust
it's
covered
in
the
touch
layer
and
it's
intercepted
by
service
work
after
cutting
the
web
layer
and
end
of
fetch
layer
like
internally,
and
it
is
intercepted
by
the
service
worker.
Although
the
service
workers
will
not
go
around
and
make
a
navigate
back
to
the
quest,
even
if
it's
got
a
fetch
request,
that
is
navigated,
you
know
I'll
get
to
that
in
a
second.
C
So
so,
with
those
two
you
know
and
and
and
the
quick
overview
or
review
of
what
we're
trying
to
do,
I
basically
put
together
this
custom
element
that
it
that
wraps
an
iframe
and
it
comes
with
an
with
another
class,
called
like
a
sandbox
container
and
that
sandbox
container
is
quickly
what
handles
the
serviceworker
api
on
a
document
level.
And
so,
if
it
creates
the
service
orchestration
and
ensures
that
the
Queen
whoa
whoa
navigate
through
this
work
well
by
making
sure
it's
registered
appropriately.
He.
C
A
C
There's
like
just
air
or
something
Ruiz
is
that
color,
no
okay,
so
yeah
give
me
one
sec.
C
Right,
so
what
what
happens
when
you're,
when
you
want
to
register
a
service
worker
I,
don't
think
there's
a
better
way
to
start
this
when
you
want
to
get
a
service
worker
to
act.
C
On
your
behalf
from
a
page,
you
actually
have
to
call
a
navigator
that
service
worker
the
register,
and
then
you
give
it
a
URL
for
a
particular
script
and
you
define
the
scope
and
then
you
do
a
little
dance
of
like
awkward
promises
and
stuff
like
that
to
make
sure
that
the
service
worker
is
up
to
date
or
if
it's
going
to
be
cashed.
All
this
is
happening
and
debug
ability
is,
like
you
know,
like
it's
awful
and
in
every
browser
you
find
surprises.
C
Sometimes
you
register
and
it
just
works
immediately
as
soon
as
you
make
next
call,
and
some
browsers
chrome
is
very,
very
eager
to
give
you
Service.
Worker
access
places
like
Safari
are
like
it
depends
on
the
month.
I'm,
not
sure
and
Safari
likes
to
always
keep
things
that
are
not
a
security
risk,
but
just
sound
like
people
might
want.
C
We
will
get
to
that
exactly
in
one
second,
okay.
That
was
why
I
really
really
suffered
last
week.
So
so,
but
once
you
have
a
registration,
you
have
gone
over
the
first
hurdle,
I
registered
the
Service
Worker
like
two
years
ago
or
so,
and
I'm
still
learning
how
to
register
today.
I
don't
have
any
production
use
for
service
workers,
but
I
always
explore
that
they
can
be
used
and
it
feels
like
I'm
learning
it
at.
C
You
know
all
over
again
every
single
time,
but
it's
very
simple:
you
you
basically
get
a
registration,
and
this
this
object
is
almost
identical
to
the
object
of
the
registration
that
is
globally
scoped
in
the
Service
Worker
threat.
C
So
there
are
a
lot
of
like
features
that
you
know:
I
I,
don't
think
we
need
it
all
or
even
need
to
worry
about,
but
the
fundamental
things
we
need
to
worry
about
are
state.
You
know
the
state
of
the
service
worker,
whether
it's
actually
active
or
activated,
or
whether
there
are
updates
it
might
be,
installing
the
updates
so
so
events
that
relate
it
to
the
fact
that
you
might
get
a
different
threat
in
a
in
a
second
or
two
to
service.
C
C
The
other
thing
is
the
fact
that
you
know
you
can
tell
this
code
by
just
looking
at
the
registration
and
from
the
client
side,
the
the
top
page
registered
the
service
worker
on
this
scope
and
from
there
as
soon
as
it
knows
that
it
is
registered
and
active,
it
can
safely
load
any
URL.
That
falls
under
the
scope
and
an
iframe,
and
that's
that's
where
it's
it's.
C
C
C
The
critical
thing
is
that
a
request
has
to
be
tied
to
a
particular
frame
or
a
particular
point,
and
just
do
you
know.
A
client
in
this
kind
of
request
will
always
be
the
iframe.
It
will
never
be
the
parent
page
and
I
guess
other
other
properties.
Dc
here
are
related
to
the
fetch
options
that
you
would
add
to
a
fetch
called
of
the
same
effect.
C
C
The
remote
URL
is
basically
just
three
levels
up
slash
test
instead
of
experiments.
So
technically
it
is
outside
the
scope,
but
it's
still
within
the
origin,
shown
after
the
first
request
and
after
the
workers
able
to
actually
map
tests
to
the
remote
URL.
It
will
then
expect
any
touches
that
that
have
the
same
client
identity
to
to
be
sandboxed,
if
they,
if
they
are
underneath
the
the
container
and
to
be
on
sandboxed.
Otherwise,
in
some
cases
it
will
actually
block
them.
But
you
know
those
are
all
just
details.
C
We
can
talk
about
down
the
road
so
for
the
CSS
it
was
able
to
reroute
the
dot,
slash
hello
world
dot,
CSS
from
the
original
remote
URL
to
the
one
that
is
actually
inside
the
container,
and
that
happened
because
the
page
literally
says
dot
slash.
So
it
expects
it
to
actually
auto
sandbox
and
it
did
the
same
for
the
JavaScript
flat.
So
all
those
files
like
containers
literally
has
I
can
actually
show
that.
C
C
You
know
sanity
check
that
I
did
and
then
I
threw
in
one
another
request.
That
has
a
lot
more.
You
know
surprising
aspects,
I'm,
basically
loading
my
own
website,
which
would
be
really
different
origin,
not
a
same
origin
I'm,
just
loading
the
landing
page,
and
the
interesting
thing
is
that
I'm
use
relative
routes
relative.
C
So
the
fact
that
it
started
with
a
slash
made
it
result
against
localhost
not
against
the
container,
and
yet
the
serviceworker
had
enough
authority
to
intercept
that
request
so
and
I
think
this
is
Marcus.
The
part
that
you
were
trying
to
you
know
take
a
little
bit
further
and
see
whether
or
not
it
will
intercept
a
different
URL
completely,
and
for
that
I
wanted
to
get
everything
solid.
You
know,
I
can
debug
reasonably.
C
B
C
It
feels
like
people
more
aware
of
our
needs
that
privacy
than
we
ever
but,
unlike
Chrome
Safari,
has
to
inspect
the
service
work.
You
know
anything
winter,
all
together,
so
what's
happening
here,
notice.
How
in
in
Chrome
I,
was
basically
able
to
say
those
are
on
sandboxed
and
Safari.
I
could
not
verify
and
using
the
available
service
aspects
that
the
request
being
actually
being
made
by
a
sandboxed
iframe
and
here's
the
wreath
in
the
service
work
per
spec.
You
have
on
the
event.
C
You
have
two
properties
that
can
I
can
help
you
determine
which
crane
you
need
to
attribute.
This
request
to
the
client
ID
is
a
property
that
this
request
is
is
a
fetch
that
is
happening
by
a
frames
by
a
frame
either
because
it's
loading,
a
sub
resource
on
its
page
or
because
attach
ap
on
a
call
with
me.
C
C
So
if
my
eye
frame
loads,
a
new
page,
the
fetch
event
will
have
a
client
ID
that
is
about
to
expire
and
the
resulting
client
ID.
That
only
has
a
browser,
a
browser
context,
but
not
a
document
yet,
and
it's
basically
saying
that
this
page
that
you
are
fetching
right
now
will
become
the
new
you
know,
base
the
the
new
document
that
will
populate
the
Dom
of
this
browser
context
and
the
ID
that
you
will
track
all
future
requests
happening
on.
Its
behalf
is
the
resulting
client
ID.
C
So
in
order
for
me
to
sandbox
in
chrome,
you
know
when
I
was
I
said:
okay,
so
I
get
a
result
in
client,
ID
I.
Call
it
receiver
here
for
just
just
to
keep
things
short
and
I
could
also
have
gotten
an
initiator
if
the
iframe
had
a
page
that
in
which
I
click
a
link
to
start
navigating
to
a
different
page.
C
So
this
would
be
the
client
ID,
and
this
would
be
the
resulting
client,
ID
and
once
I
had
that
I
said
that
any
any
requests
that
are
valid
from
an
initiator
that
has
this
ID
from
now
on
will
be
either
sandboxed
if
it's
under
containers
under
the
same
container
or
on
sandbox.
If
it's,
you
know,
okay,
it's
an
acceptable
request,
but
it's
not
under
the
container
itself.
It's
actually
you
know
escaping
it.
For
some
reason
in
Safari,
I
couldn't
get
you.
C
Let's
put
it
this
way,
so
so
chrome
gives
me
the
the
things
that
when
I
read
the
spec
and
I
wrote
my
logic
and
I
wanted
it
to
work.
It
worked,
however,
Safari
was
working
for
other
reasons
or
not
working
and
I
didn't
know,
but
when
I
doubt
very
very
deep
into
you
know,
discussions
happening
about
what
they
will
actually
make.
You
know
changes
they'll
make
down
the
road
I
believe
so
furry
is
holding
out,
so
Safari
is
definitely
introducing
something
that
I
will
not
concern
myself
with
until
you
know
very
late
in
development.
C
Safari
refuses
in
the
initial
request
to
identify
the
browser
context
that
I
should
start
tracking
from
now.
They
think
it's
enough
for
me
to
start
tracking
whenever
you
know
I
get
lucky
and
get
a
fetch
request
and
then
I
know
enough
information
to
do
serviceworker
without
actually
knowing
anything
about
the
user.
That
I
think
that's
the
rationale.
I
have
about
Safari
a
student
so
since
I
cannot
track
from
the
first
navigation
I
technically
do
not
know
whether
or
not
any
subsequent
requests
are
sandbox
about
or
not.
A
This
yeah,
so
would
this
be
made
easier
if
your
serviceworker
was
only
running
within
the
white
container,
or
is
that
possible
well.
C
That
could
be
possible,
but
you
know
we're
distributing
across
a
number
of
threads
and
I
thought
to
myself.
I
can
have
a
lot
of
moving
threads
and
moving
parts,
and
you
know
debugging
over
a
page,
and
a
worker
is
hard
enough.
I
just
didn't
know
like
once.
He
had
more
than
one
serviceworker
here:
here's
what
happens
sometimes
a
page
that
tries
to
get
something
that
falls
under
the
scope
of
another
serviceworker
may
be
intercepted
by
one
or
the
other,
depending
on
the
browser
that
that's
a
potential
complication.
C
But
you
know
the
default
behavior
should
be
that
if
it
fell
under
the
scope
of
another
serviceworker
and
will
show
up
there,
only
the
other
service
worker
is
is
completely
isolated
and
has
no
knowledge
of
other
service
workers.
So
it
will
be
getting
a
request
that
may
or
may
not
be
clearly
attributed
to
the
frame,
but
it
will
likely
not
have
any
knowledge
of
that
frame.
C
Okay,
that
makes
sense
yeah,
so
I
wanted
to
keep
at
least
some
sort
of
a
wiggle
room
where
we
say
listen,
I
know
that
this
frame
is
really
trying
to
do
something
it's
not
allowed
to.
Unless
we
actually
allow
containers
to
to
you
know
multiple
containers
reflecting
one
or
more
subdomains
of
a
particular
domain
for
a
particular
page,
then
then
you
know
this.
This
dance
between
many
workers
will
be
impossible.
I.
B
Have
a
question
for
men
well
regarding
Walker
service,
so
as
I
understand
it,
Walker
service
is
also
providing
some
kind
of
virtualized
access
with
many
of
the
same
goals
as
with
and
many
singles
that
were
trying
to
achieve
here.
A
Well,
that's
exactly
why
I'm
here
right
to
learn
what
this
is
about,
because
you're
right
it's
been,
it's
been
really
hard
for
look
or
the
way
we're
doing
and
to
keep
up
with
the
browser
API.
You
know
that's
exactly
this.
We
have
the
same
pain.
You
know
because
we
are
maybe
are
used,
this
more
narrow
to
our
cost,
et
cetera.
So
far
we
are
like
you
know,
kind
of
like
in
an
okay.
Is
this
we
need
to
scale
in
in
order
to
scale.
The
party
that
we
have
so
far
is
not
gonna
work.
A
So
that's
why
we
are
here
to
listen
and
to
see,
because
we
need
to
simplify
our
architecture.
We
have
efforts
internally
to
salesforce,
to
simplify
the
local
local
architecture
and
but
they're
just
getting
started,
and
so
you
know
this
is
part
of
it.
So
to
understand
how
these
can.
Maybe
you
know,
help
us
the
same
way.
Okay,.
B
And
with
sales
forces
throw
away
so
to
speak,
if
things
are
there
delicately
and
accidently
securable
now
with
salesforce
you're,
throwing
their
way
behind
those
security
properties,
it
can
give
us
a
lot
more
confidence
that
things
don't
evolve
in
a
way
to
break
the
security
because
they
would
break
Locker
and
we
could
probably
get
a
lot.
You
know
anything.
That's
an
accidental,
secure
ability,
property
now
that
we'd
like
to
get
written
more
normatively
into
the
specs.
A
Absolutely
and
again,
that's
why
you
know
we
are
participating,
because
we
want
to
both
listen
to
what
this
group
has
been
thinking
about
of
the
problem
space
and
all
that,
because
you
know
it's
very,
very
similar
and
also
you
know
if
we
can
help
by
with
the
problems
that
we
have.
You
know
again,
we
have
very
specific
Scots
and
great
examples.
Fantastic
right.
This
is
just
cross-pollination
to
make
things
better,
so
yeah,
absolutely
okay,.
B
B
B
Assuming
that
there
was
that
there's
some
platform
way
to
create
a
new
route
around
the
new
set
of
Global's,
and
that
turned
out
to
be
a
assumption
that
SES
did
not
need
and
an
assumption
that
gets
us
into
troubles
on
some
platforms,
notably
within
a
worker
speaking
of
workers
within
a
worker.
You
only
have
one
regret:
there's
no
ability
to
create
multiple
realms
that
got
meta
masks
into
trouble,
trying
to
use
the
Agora
gem.
B
Likewise,
gorrik
itself
got
into
trouble
trying
to
use
the
Agora
shrim
when
we
try
when
we
got
our
code
running
on
excess,
the
JavaScript
for
embedded,
where
there's
also
only
one
root
realm.
So
there's
another
repository
that
Salesforce
and
gorrik
are
collaborating
on.
That
Salesforce
is
hosting,
for
which
the
plan
is
to
open
source.
B
It's
not
actually
publicly
visible
yet,
which
is
a
essentially
the
same
starting
at
SES
but
engineered
so
that
it
simply
attains
the
the
root
realm
that
it's
in
rather
than
creating
and
taming
a
new
and
agaric
wants
to
to
reconcile
with
that,
and
so
that
once
that's,
you
know
what
so
that,
once
it's
it's
open,
we
can
have
one
joint
SES
that
can
be
used
within
one
frame
so
that,
but
so
that's
the
first
step.
The
second
step
is
that
neither
of
the
SES
shins.
B
Deal
with
modules,
you
know
they're
both
deal
with
safe
evaluation.
Through
this
you
there's
our
use
of
direct
eval.
That
modules
still
need
to
be
rewritten
Salesforce
has
their
own
kernel,
module,
rewriter
or
rewriting
modules
to
say
scripts,
but
that's
not
part
of
the
shim
that
the
shim
repository
that
agaric
and
salesforce
are
collaborating
on
I.
B
Don't
know
if
plans
to
open
source
that
and
then,
when
we're
discussing
in
this
conversation,
which
is
the
strange
things
that
Salesforce
is
doing
to
to
to
tame
the
Dom
API
is
yet
a
third
piece
of
work
that
I'm
not
aware
of
plans
to
open
source,
but
but
but
but
clearly
altogether.
This
group
is
proceeding
towards
plans
to
have
open
source
solutions
to
all
three
of
those
things
which
we
need.
C
You
so
should
I
continue
or.
C
C
Nothing
and,
to
you
know,
come
come
to
a
comfortable
realization
of
which
router
will
be
the
one
that
have
to
work
out.
You
know
the
prototyping
phase,
and
hopefully,
by
the
time
the
crane
typing
in
other
browsers
need
to
catch
up
or
in
acquisition,
or
we
are
in
a
position
actually
help
them
catch
up
with
good
recommendations.
C
A
C
All
right,
Bob
take
care
yeah,
so
so
I
considered
complex
requests
or
requests
that
have
you
know,
parameters
to
with
them
they're
not
a
result
of
a
very,
very
simple
link
or
script,
or
you
know
all
these
elements
that
you
would
have
in
your
page
or
a
simple
fetch.
So
so
this
complexity
is
something
that
you
know
will
have
a
lot
of
surprises
and
I
wanted
to
get
a
very
solid.
C
The
second
aspect,
so
I,
like
I,
created
this
threat
here,
just
I
mean
I
replied.
You
know
with
all
the
different
topics
that
you
know
anyone
interested
or
has
input
on
one
or
the
other.
It
would
be
very,
very
helpful
to
actually
open
the
discussion
there.
I
didn't
want
to
create
all
these
different
threads
and
you
know
distract
or
you
know,
make
it
less
noticeable,
which
one
is.
C
One
of
them
is
the
idea
that
one
doing
is
really
on
rebasing
a
URL
against
the
container
and
I.
Don't
think
that
rebasing
is,
you
know
very,
very
like
a
one-time
use
for
a
serviceworker
api's.
So
if
the
serviceworker
api's
would
actually
have
you
know
an
additional
option
for
people
to
use
that
would
allow
them
to
to
delegate
to
the
browser
safely
containing
a
domain
against
a
container
inside
the
scope.
Then
you
know
that
all
that
heavy
lifting
that
we
have
to
do
would
really
be
delegated
to
the
browser.
C
The
fact
that
we
are
running
a
particular
resolver
against
a
particular
frame
made
me
think
of
the
idea
of
inlining
a
dedicated
worker
that
services
a
particular
iframe
as
being
a
more
natural
way
to
think
about
a
service
worker
for
containment
and
I'm,
not
sure
how
that
would
look
like
in
the
spec.
But
you
would
associate
a
work
which
apparently
is
a
module-based
thing
and
that
worklet
will
basically
have
its
its
target
as
the
iframe
from
the
serviceworkers
context.
So
all
events
related
to
the
iframe
will
be
somehow
delegated
to
a
worklet.
C
C
B
The
plan
that
we're
talking
about
here,
I
think,
cannot
do
anything
as
transparent
as
that.
None
of
the
mechanisms
that
we're
talking
about
allows
us
to
intercept
script
execution
in
the
Dom.
If
we
give
direct
access
to
the
Dom.
The
only
way
we
can
do
that
safely
is
to
say
that
that
frame
is
CSP
restricted
to
gnome
evaluation,
which
you
can
do
with
CSP.
Of
course,
SCS
requires
evaluation.
B
What
I've
been
assuming,
which
I
should
have
been
stating
which
corresponds
to
some
of
the
things
we
did
in
kaha,
is
that
we
actually
create
two
for
two
frames
to
same
origin
frames,
one
of
which
contributes
the
Dom.
That
has
no
evaluation,
the
other
of
which
contributes
the
realm
in
which
we
run
cess,
and
then
we
give
only
JavaScript
objects
from
the
second
frame
access
to
only
the
Dom
from
the
first
frame,
and
the
result
is
that
the
SES
cans,
an
SES
evaluate,
but
the
Dom
nodes
cannot
cause
evaluation,
that's
safe,
but
it's
not
transparent.
B
C
So
I'm
a
little
bit
more
wishful
by
the
way
and
I
think
that
we
will
be.
We
will
have
a
little
bit
s
that
will
maybe
not
require
us
to
have
those.
C
C
Csp
is
actually
landing
on
iframe,
so
you
could
find
green,
a
CSP
policy
permanently
on
an
iframe
before
you
load
the
first
page
and
then
any
pages
that
load
from
there
on
in
that
frame.
I
believe
you
know,
this
is
how
it
applies
to
all
other
attributes
of
the
eye
cream
and
eye
cream
cream
particular
options
and
as
soon
as
it
turns
a
page,
those
restrictions
remaining
on
the
eye
cream.
So
that.
B
Particular
restriction
that
we
would
need,
when
we
just
restated
implicitly
to
because
I'd
be
very
surprised
that
there
is
any
way
to
do
this.
Now
is
that
within
the
iframe
we
accept
code
that
thinks
it
can
use
script,
tags
or-
or
you
know,
the
the
event
things
basically
thinks
I
can
have
little
bits
of
JavaScript
embedded
in
the
HTML.
B
C
Actually
remembered,
that's
good,
so
so
what's
happening
or
yeah
what's
happening
here
is
I
have
my
render
that
basically
renders
something
I
called
mark
out
which
is
like
markdown
but
but
like
better?
Hopefully
it
will
replace
mark
them.
No,
no.
It's
just
meant
to
actually
have
script,
tags
and
other
web
things,
because
the
renderer
actually
runs
against
a
Dom.
So
why
restrict
things
you
know
like?
So
so?
If
you
open
this
page
in
like
in
in
markdown
and
literal
markdown,
you
would
see
something
like.
C
And
I
wanted
to
intercept
a
script
and
make
sure
that
it
has
access
to
the
output
element
in
which
it's
inside
so
I
mean
I'm,
doing
this
encapsulation
by
preventing
the
script
from
executing
and
then
doing
it
as
if
it's
executing
in
a
you
know,
it's
a
it's
an
output
script,
it's
something
I
invented
invented
out
of
nowhere
and
I
am
flattered.
They're,
cool
Oh.
B
Go
back
to
that
screen.
I
already
have
some
questions:
yeah,
okay,
so
I
understand
how
you
can
prevent
it
from
executing
what
I
don't
know
is
without
understanding
all
the
places
in
the
Dom,
where
a
string
would
call
something
to
execute.
How
do
you
know
that
this
is
something
that
the
pager
was
expressing
the
desire
that
this
executed,
so
that
you
can
execute
by
other
means,
so.
C
So,
are
we
talk
about
a
parent
page
and
I'm
gonna
get
to
that
point,
particularly
from
from
from
you
know,
Thank
You
relatedly,
we're
talking
about
a
parent
page
having
access
to
the
Dom
and
creating
the
serviceworker
and
registering
it
when
the
parent
page
is
navigating.
There
are
at
least
one
or
two
strategies.
The
first
one
is.
C
Knowing
that
the
code
is
not
going
to
execute,
making
subtle
changes
to
scripts
to
force
them
to
be
encapsulated
against
what
would
be
an
SES
API
that
will
be
globally
available
in
the
I
free,
so,
whatever
sanitization
you
want
to
do
on
an
old
level,
you
could
have
the
service
worker
knows
it's
a
it's
a
navigation
to
a
document.
It
says.
Okay,
well,
is
anybody
the
host
of
this?
C
Yes,
the
page
says
yes
well
sanitize
this
and
give
it
back
to
me
and
then
I'll
respond,
return
it
to
the
iframe
or
is
sanitize
this
and
put
in
the
iframe
and
I'll
know
when
it
happened.
So
so
that
approach
of
sanitizing
against
a
template
element
is
a
very,
very
like
use
whatever
you
have,
and
and
don't
do
a
lot
of
additional
work
to
potentially
solve
this
problem.
B
That
makes
sense
to
me
and
I'm
glad
you
reminding
about
the
inertness
of
templates
and
that's
a
very
powerful
lever
for
us
to
make
use
of
so
yeah.
That
makes
sense.
It
makes
me
much
more
hopeful
that,
without
any
kind
of
deep
knowledge
of
the
Dom,
we
might
be
able
to
safely
emulate
inline
script
execution
by
term
by
running
the
the
code
through.
Is
there.
C
C
That
is
the
HTML
code
that
would
have
been
a
page
loaded
in
the
ivory
I
I,
don't
know
if
it
was
SRC
or
another
attribute
I
believe
it
was
SRC,
but
in
the
spec
I
read
at
some
point
that
when
there
is
SRC
dog,
whatever
the
URL
that
was
in
that
other
attribute
was
basically
what
the
page
will
think
it's
being
served
from.
C
So
that
would
allow
the
page
to
think
that
it's
coming,
you
know
from
the
source,
but
it's
actually
coming
from
sanitized
as
RC
doc.
That
mechanism
I
didn't
really
dig
deep
into,
but
that
would
make
the
service
worker
fetch
the
document
give
it
to
the
host
and
then
the
host
is
like
okay,
thank
you.
I'm
gonna
put
it
on
the
frame
and
it
cuts.
You
know,
cuts
the
round-trip
cost.
B
Don't
want
the
thing
is
the
serviceworker
is
the
thing
it's
fetching
is
HTML
text
I,
don't
want
it
to
have
to
parse
the
HTML
text
accurately
in
order
in
order
to
transform
it
into
something
safe.
Well,
your
captain,
your
template
notion,
which
allows
me
to
turn
it
into
a
Dom
tree
without
worry
and
then
proceed
to
operate
on
the
parsed
Dom
tree.
That
makes
me
feel
much
more
comfortable.
Yeah.
C
So
I'm
designing,
like
I
I,
initially
said
SES
frame,
and
then
we
said,
okay,
Jessie
frame
will
be
SES,
Prima
cleanse
Jessie
frame
and
then,
when
I
actually
went,
you
know
sat
down
and
started
to
code.
This
I
said
sandbox
for
Haiti,
from
which
you
know
SES
frame
extend
and
Jessie
frame
will
extend
because
they
found
that
the
two
will
not
necessarily
have
you
know,
one
extends
the
other,
but
rather
they
both
extend
the
shared
thing.
C
So
so
one
word
more
strategies
for
sanitization
are
really
what
sandbox
frame
is
is
trying
to
Allah
the
very
careful
approach
which
will
technically
feel
I
believe
a
little
bit.
It
will
require
a
little
bit
more
overhead
is
to
do
it
with
a
template
element
where
the
browser
can
cannot
mess
up
things
unless
it
will
mess
it
up
anyways.
B
So
but
but
the
thing
is
the
reason
why
I
don't
want
to
rely
on
a
user
rittany
HTML
parser
is
very
much
like.
Why
don't
want
to
write
a
result
to
a
user
written
by
JavaScript
parser.
Is
it's
notoriously
hard
to
parse
accurately
the
Saul
I
know
you
and
I've
corresponded
about
tag
soup,
so
Mike
Samuel
for
caja
wrote
the
accurate
HTML
parser
for
Karl,
and
it
was
not
a
job
that
that
any
of
the
rest
of
us
could
have
done.
It
was
just
a
tremendously
bizarre
and
careful
exercise.
C
C
So
you
know
it's
an
HTML,
it
has
some
CSS
and
it
has
some
JavaScript
and
it's
not
using
any
in
library
basically
over
the
built-in
parser.
Obviously
it's
not
going
to
be
perfect.
It's
going
to
have
log
batch
cases
well,.
B
C
C
So
it
will
allow
you
to
know
it
will
allow
you
to
specify
how
your
particular
extension
of
the
sandbox
screen
sanitize
it
either
it
sanitizes
by
template-
and
that's
like,
like
that's
a
an
additional
extension
that
you
would
do
for
the
sanitize
aspect
of
the
sandbox
screen
or
if
it
uses
you
know
a
custom
parser.
Then
that
would
be
another
aspect
of
another
extension.
So
so
so
citation
is
one
of
the
goals.
C
The
method
of
sanitization
is
is
one
of
the
things
that
are
meant
to
be
extensions
so
for
to
buy
the
same
box
great
for
Jessie
frame.
We
have
virtually
no
technician
happen
for
a
Jessie
code
in
the
water
and
because,
basically,
Jessie
module
will
run
against
a
translation
logic
that
that
you
know
comes
from
the
same
source
code,
that
parts
as
the
Jessie
code
or
parts
the
Jessie
code,
and
it's
going
to
be
needed
because
Jessie
code
and
I
think
Michael
would
be
the
best
person
to
actually
give
that
summary
Michael.
A
This
would
go,
let's
see
so,
essentially,
what
I'm
heading
towards
is
trying
to
get
the
same
representation
of
Jessie
code
into
all
these
different
environments
and
to
see
what
the
what
the
best
abstraction
is
for
interpreting
Jessie
talk
that
we
can
have
a
simple
interpreter
in
all
these
environments.
A
So
when
it
comes
to
the
chassis
frame,
specifically,
that's
all
going
to
centralized
around
the
same
concerns
that
SDS
has,
with
the
same
FCS
evaluator,
just
customized
for
Justin
whitelist,
and
the
only
differences
that
will
be
restricting
the
kinds
of
modules
that
we
can
load.
So
essentially,
there's
not
a
lot
of
different
work.
Besides
what
SES
frame
house,
aside
from
being
able
to
limit
the
subset
of
JavaScript
that
you
were
interested
in.
B
A
B
A
So,
in
thinking
further
about
the
relationship
between
Jessie
and
standard
JavaScript,
the
approach
that
I
took
through
Jessica
so
far
was
I
had
global
endowments
that
correspond
to
the
things
that
Jessie
needed
from
the
environment
I'm
thinking
now,
especially
in
regards
to
how
SES
has
this
magical
module,
Agora,
carton
and
a
cork
not
that
these
are.
These
are
essentially
hooks
for
the
interpreter
environment,
to
say,
here's
something
that's
outside
of
your
environment,
then
we're
going
to
provide
for
you.
A
So
what
I
see
this,
as
is
code
that
is
essentially
agnostic
as
to
whether
it's
running
under
SES
or
I,
understand
your
JavaScript
environment,
those
kinds
of
libraries
that
want
to
be
able
to
offer
the
security
that
ICS
has
and
not
get
flicked
with
it.
But
at
the
same
time,
maybe
they
want
reusability
outside
the
JavaScript
environment.
That
would
provide
that
security.
A
B
Yeah
my
mistake:
okay,
so
so
I
followed
that
one
of
the
things
that's
a
little
disturbing
is
the
layering
there
is
that
the
it's
in
the
SES
case,
it's
working
through
the
translation
of
modules
into
evaluable
scripts.
That
is,
that
it's
currently
working
through
the
existing
packages
that
don't
have
a
well
specified
translation
to
just
do
what
they
do.
B
A
So
what
I
would
like
to
be
able
to
do
is
have
Jesse
source
code
essentially
be
entirely
self-contained,
so
in
the
sense
that
if
my
Jesse
source
code
uses
make
map,
for
example,
as
the
what
I
currently
have
is
a
global
endowment
that
creates
a
map
if
instead
I
imported,
that
from
some
module
at
or
gorik
slash
Jesse,
then
people
who
read
the
code
would
say
this
is
Jesse
code
that
I
know
what
this
does,
because
I
know
what
this
particular
import
does
and
then
there
are
no
magical
Global's.
A
At
that
point,
everything
that
would
have
been
global
aside
from
the
primordial
and
the
white
listed
things
has
behavior
that
can
already
be
defined
in
terms
of
existing
JavaScript.
So
in
an
existing
JavaScript
program,
if
I
grab
the
Jesse
module
and
drop
it
into
place,
all
I
need
to
know
is.
It
depends
on
Nick
or
XS
Jesse.
B
Okay,
that
makes
sense
to
me
that
essentially
it's
like
the
discussions
that
we've
had
39
of
that
standardizing
built-in
modules.
In
some
sense,
the
things
under
the
an
Agora
namespace
would
be
things
that
are
built
in
to
Jesse
and
cess
in
the
sense
that
they're
provided
magically
and
then
simply
in
portable
modules.
4
4,
4
4
code
is
written
to
run
under
Jesse
and
SAS,
but
just
run
under
JavaScript
is
that
by
getting
that
about
right,
yeah.
B
A
So
this
list
of,
let's
see
eight
things
so
far,
it
still
does
resolve
on
sun.
Your
resolution
between
revolves
around
some
resolution
between
hardened
and
insulated.
Whatever
else
we
have,
but
that
can
be
worked
on
later,
not
too
concerned
about
that
cuz,
that's
something!
That's
a
fairly
systematic
changed
the
sources
that
we
need
to
make
that,
but
basically
this
list
of
confined
could
find
expression
make
not
make
promise
makes
up.
We
cannot
bring
weak
side.
Okay,.
B
B
A
B
And
that
running
it
needs
a
parser.
Doesn't
worry
me
because
jesse
was
designed
to
be
simple
to
parse
yeah.
My
question
we
having
syntactically
validated.
Is
it
then
safe
with
regard
to
conforming
to
the
specification
you
have
in
mind
for
it
to
really
validate,
not
transform
and
then,
if
it
validates,
simply
pass
it
through
two
SES
confined.
Does
that
fully
preserve
the
semantics?
You
want
jesse
confindent,
the.
A
Only
difference
is
what's
on
the
wait
list,
so
things
like
about,
for
example,
object
is
frozen,
I
think
at
least
part
of
SES,
but
not
part
of
Jesse
right.
B
B
Yeah
just
to
repeat
for
everyone,
my
YES
on
that
is
that
that's
still
a
conforming
implementation
of
Jesse.
It's
just
not
the
minimal
conforming
implementation
of
Jesse,
because
I
define
Jesse
such
that
a
correct
jesse
program
is
not
allowed
to
rely
on
the
presence
of
any
of
the
SES
elements
that
are
absent
from
Jesse,
but
neither
is
it
allowed
to
rely
on
the
app
since
of
those
so
correct,
Jessie
program
when
run
we're
the
rest
in
an
environment
where
the
rest
of
the
SES
standard
library
is
available
must
still
run
correctly.
B
B
B
I'm
fairly
convinced
that
you
can't
accurately
do
a
static
test,
you
may
be
able
to
do
a
conservative
static,
ask
people
to
think
we're
matter,
but
but
yeah
it's
really.
It's
a
definitional
sleight
of
hand
the
fact
that
I've
defined
Jessie
that
way,
it's
certainly
useful
to
have
the
minimal
Jessie
whitelist
so
that
you
can
even
using
the
SES
mechanisms,
run
a
Jessie
program
tested
Jessie
program.
A
C
B
Is
make
module
instance
for
those
who
looked
at
the
code
beforehand?
I
should
say
that
about
a
couple
of
hours
ago,
I
changed
I,
did
a
bunch
of
renaming
in
preparation
for
for
this
video
conference
to
have
better
names
for
things.
So
I
only
use
the
new
names
here,
so
a
module
steps
out
make
module
instances
kind
of
the
the
core
mechanism
that
I've
created
here
for
building
a
safe
module
system
for
SES
this.
B
B
But
now,
let's
talk
about
the
the
core
mechanism
here,
so
I
defined
something
called
a
module
static
record
that
this
first
parameter
is
supposed
to
proposed
to
provide
such
a
record,
and
that's
really.
The
core
of
this
proposal
is
the
definition
of
that
record
and
how
this
make
module
instance
processes
that
record.
So
it
called
a
module
static
record
because
it
differs
from
the
module
record
of
the
atmosphere
stack.
The
module
record
of
the
eggman
script.
Spec
is
sort
of
a
module
instance.
Information
and
I
find
that
I
found
that
terminology
confusing.
B
So
this
thing,
I
only
have
module
static
record
and
module
instance.
The
module
static
record
contains
only
information
that
derives
an
individual
module
source
text
considered
by
itself.
It
doesn't
do
any
intermodules
analysis
and
it
doesn't
do
any
instantiation
or
binding
to
any
naming
environment
so
well,
we'll
get
to
that
in
a
moment.
But
before
we
do
I
mean,
let
me
go
through
the
other
parameters
to
make
module
instance
and
then
I'll
show
you
what
what
the
module
instance
looks
like
that
it
returns.
B
B
So
at
the
time
you
call
make
module
instance:
the
import
namespace
can
be
empty,
can
be
unpopulated
and
there's
up
to
the
loader
to
populate
it
with
a
mapping
from
a
specifier
names
to
modules
and
each
individual
module
instance
can
have
can
be
given
its
own
unique
import
namespace
with
its
own
unique
name
to
module
instance
mappings,
the
first.
Basically,
so
the
idea
is
first,
you
may
call
the
module
instances
and
then
having
made
them.
B
C
B
C
So
so
I
like
to
call
it
your
module
scope
in
my
in
my
model
and-
and
my
idea
is
that
this
is
a
particular
module
that
it
that
is
extending
from
the
global
scope
and
in
the
modules
code,
the
only
thing
that
will
ever
exist
are
kind
of
like
constants,
but
they
are
life
bindings.
In
that
you
cannot
write
about.
Okay,.
B
So
I
think
I
made
this
spoke.
Then
when
I
say
yes,
I
think
I
may
have
misunderstood
the
question.
The
import
namespace
is
met
the
strings
that
its
mapping
from
our
module
specifier
strings,
not
variable
names.
There
are
no
variable
names
in
the
important
aim:
space
in
the
important
name,
space
itself
to
mapping
the
the
import
namespace
itself
is
a
mapping
from
module
specifier
strings
to
module
instances.
The
module
instances
in
turn
have
the
mechanisms
for
binding
over
Y
bindings,
but
those
don't
show
up
at
the
top
level
of
the
import
namespace.
So.
C
B
Think
I
didn't
didn't
understand.
Okay,
let
me
just
talk
it
through.
With
regard
to
an
example,
we
have
actual
I
use
the
example
I'll
actually
look
such
as
good
roughly
to
the
example
so
over
here
we
have
an
example:
module
static
record
for
module
that
was
hypothetically
originally
named
bar,
so
the
idea
is
that
we
have
a
translator.
One
very
nice
claim
that
I
will
make
about
this.
Translation.
B
Is
the
translator
from
the
module
search
text
to
the
module
static
record
is,
is,
is
not
does
not
has
not
in
any
sense
a
trusted.
Translator
yeah.
He
in
the
sense
that
we
talked
about
last
week.
Everybody
could
use
their
own
offline
translator
for
their
own
code
and
if
their
translator
is
bad,
they
only
followed
their
own
nest,
but
even
at
the
level
of
intra
module
linking
semantics.
B
B
Something
that's
not
really
essential,
but
that
certainly
helps
explain
examples.
So
everything
else
in
this
bar
module
static
record
is
supposed
to
be
generated
only
by
processing
this
text.
Of
course,
the
actual
when
I
wrote
down,
was
generated
by
hand
from
what
I
imagine
the
translation
would
be.
B
So
oh
I
should
I
should
also
mention
in
this
original
source
text.
I
took
the
expository
examples:
the
non
normative
expository
examples
from
the
ACMA
script
spec
and
did
variations
on
those,
so
that,
although
this
is
far
from
complete,
it
at
least
covers
the
case.
Analysis
that
the
echo
script
spec
authors
found
was
an
expository
a
useful
first
voluntary
purposes
case
analysis
for
illustrating
the
different
cases,
so
actually
I'm
gonna
split.
The
screen
here
split
the
winner
here
so
so.
B
So,
given
this
import
text
over
here,
I'm
translate
that
turns
into
in
the
record
this
discret.
This
description
of
the
imports
Macedon
is
that
we
that
that
the
overall
module
static
record
has
metadata
that
describes
the
static
information.
That's
needed,
that's
derived
from
that.
That
comes
from
the
analysis
of
the
source
text,
so
it
pulls
the
needed
static
information
out
into
these
parts
of
the
record,
like
the
imports.
B
B
B
So,
for
that
case,
we
put
it
into
the
fixed
effects.
Fourth
string.
Otherwise
we
put
it
into
the
live
export
string
and
the
the
food
queso
is
okay.
These
cases
over
here
are
the
weird
ones
that
I
wasn't
even
aware
were
in
the
language
until
I
went
through
the
spec
for
part
as
part
of
this
exercise,
where
you
can
import
from
one
module
and
react
sport,
what
you
imported
as
your
own
exports
without
ever
binding
it
to
a
local
variable.
So
it's
just
to
support
that
as
well.
B
B
C
C
B
So
I
believe
this
code
is
observational
equivalent
to
that
I
hate
that
that
it
conforms
to
the
spec
with
regard
to
that,
and
that
was
actually
that
actually
caused
a
major
change
in
my
development
of
it
is
because
the
read
my
first
attempt
at
doing
this
miry
expert
failed
to
be
live,
and
it
took
me
a
while
to
figure
out
how
to
react.
Sporting
of
it
maintained
the
live
binding
nature.
So
this
does
do
that,
but.
A
C
C
B
C
B
B
So
noted
I
might
get
the
initialization
order
and
the
td0
on,
but
let
me
say
right
at
the
outset,
all
together
in
order
to
do
in
order
to
meet
my
other
goals.
I
found
that
I
needed
to
be
inaccurate
for
some
of
the
tdz
cases.
There
are
some
cases
where
the
module
semantics
would
have
the
implementation,
throw
a
reference
error
where
this
implementation
will
instead
produce
the
undefined
value
for
a
live
binding
that
should
have
been
in
a
temporal
dead
zone
and
given
the
overall
goals
here.
B
I
think,
though
that
was
you
know
if
I
have
to
make.
If
there
is
indeed
a
conflict
between
the
goals,
then
then
for
the
goals
that
I
haven't.
I
I,
think
that
was
the
right
choice,
but
altogether
trying
to
the
degree
to
which
I
can
satisfy
my
goals
without
conflict,
I
was
trying
to
be
as
accurate
as
I
could
be
on
tdz,
as
well
as
the
as
well
as
in
general,
the
initialization
order
and
the
handling
of
cycles
and.
C
I
definitely
share
in
that
sentiment,
because
TDC
has
been
conformance
to
TPD.
Z
has
been
one
of
the
very
very
disruptive
aspects
of
people
trying
to
make
like
a
note,
for
instance,
trying
to
implement
into
off
with
Colin
Jaso
I
was
very
curious
as
to
rationalisation,
because
if
the
speck
needs
to
be
usable
by
everyone,
then
the
constraints
are
easy
and
it
might
might
be
worth
revisiting
a
little
bit.
So
I
do
appreciate
that
you
you
put
that
you
put
those
words.
You
know
waited
mm-hmm.
B
You
know
Thanks,
so
so,
okay,
so
there
is
the
importance
record.
The
live
exports
record,
the
fixed
exports
record
and
the
the
you
know,
and-
and
it's
really
doing
this
really
clarified
for
me-
the
distinct
namespaces
that
the
spec
uses
because,
for
example,
the
code
I
was
showing
last
week
completely
confused
export
names
and
local
names,
and
it
took
a
little
while
to
figure
out
how
to
correctly
treat
them
separately
so
over
here,
for
example,
in
the
live
exports.
B
What
this
is
saying
is
that
the
actual
estate,
this
one,
the
export
name,
II
X,
corresponds
the
local
lexical
variable
named
L,
and
with
this
and
concretely,
what
this
means,
which
you'll
see
concretely
in
a
moment,
is
that
in
the
module
name,
space
record
that
we
produce,
that
is
supposed
to
correspond
to
the
specified
exotic
module
name
space
object
that
the
named
bind.
There
is
e^x
in
the
endowment
record
that
we
provide
to
the
proc
city
for
purposes
of
faulting,
on
assignment
to
implement
pdz.
B
Without
rewrite
of
code
in
the
module,
without
rewrite
of
particular
of
functions
contained
in
the
module,
we
have
to
trap
assignments
in
the
proxy
and
for
those
the
relevant
name
is
ello.
The
lexical
variable
name,
not
e^x,
and
it
took
me
a
embarrassingly
long
amount
of
time
before
I
realized
that
I
was
using
the
wrong
name
in
the
wrong
place.
B
Okay.
This
is
the
important
thing
which
I
will
now
go
back
to
full
screen.
One
I
took
the
whether
the
rewriter
parsed,
the
original
module
source
text.
It
rewrote
it
into
this
text
and
yeah
make
claim
about
this
thing
being
minimally
invasive,
because
it's
only
rewriting
exports
and
imports,
but
over
here,
of
course,
it's
maximum
lien
basis,
because
the
example
consisted
of
only
the
imports
and
exports,
so
I
was
only
I
was
only
showing
the
things
that
needed
to
rewrite.
B
The
idea
here
is
that
all
of
the
importing,
including
the
implicit
importing
from
the
exports
that
that
import
and
re-export
modulo
the
issues
that
solid
is
raised
but
I
rewrite
basically
all
of
the
imports
into
this
call
to
dollar
H
enter
in
port.
This
will
be,
as
we
talked
about
a
dollar
h0
with
Joyner
thing,
underbar
import
or
whatever,
but
it's
whatever
are.
Our
convention
is
for
names
that
we
also
verify
that
the
original
source
did
not
contain.
B
And
then
the
imports,
when
we
aggregate
the
imports
we
see
that
here
are
the
local
lexical
variable
names
in
aggregate.
These
are
the
total
set
of
local
lexical
variable
names
that
are
created
in
those
import
declarations.
Those
import
declarations
are
importing
from
mod
1,
mod
2,
mod
3
and
foo
and
and
then
the
import
names.
The
import
names
consist
of
the
normal
identifier
names,
as
well
as
the
special
names
default
and
star
default
is
for
the
default
expert
which,
which
you
can
also
import,
is
the
default
import.
Star
is
only
on
the
importing
side.
B
There
isn't
a
star
on
the
exporting
side
and
star
means,
bind
this
thing
to
the
module
name,
space
object
itself
and
then
here's
the
really
cool
thing,
which
is
what
we
do
for
each
of
these
import
names
is
we
provide
in
in
this
argument
to
H
import.
We
provide
these
callback
functions.
We
provide
a
list
of
callback
functions
where
each
callback
function
is
there
in
order
to
bind
or
update
one
of
these
lexical
variable
names,
so
in
particular,
now
go
split-screen
again.
B
B
B
And
over
here
we
say
we
see
that
mod
one
star,
the
callback
updates,
the
NS
variable.
This
is
the
place
where
we,
the
the
updates,
are
re-run
when
necessary
in
order
to
continue
to
update
these.
That's
why
these
are
live
bindings,
but
that's
also
makes
clear
how
we
fail
to
do
temporal
dead
zone,
which
is
one
of
the
goals
of
this
free
right
was
efficiency
for
the
typical
case
and
at
the
importing
side,
given
separate
translation,
given
that
we
translate
each
module
without
any
intro
module
analysis,
which
was
not
at
all.
B
Therefore,
from
the
importing
side
we
can't
see
which
variables
are
alive
but
live
bound
and
mod,
and
we
want,
in
the
typical
case,
to
map
these
to
a
regular
local
lexical
variable
name.
We
could
have
placed
the
lexical
variable
name,
so
the
lexical
variable
names
themselves
had
a
tdz,
but
we
have
no
way
to
make
them
transition
out
of
tdz
at
the
importing
side
when
they
should,
according
to
the
live
binding
semantics.
B
So
instead,
we
just
gave
up
on
the
tdz
for
the
import
variables
and
they're
just
left
bound
at
the
beginning,
meaning
they're
immediately
bound
to
undefined.
B
B
It's
it
is
a
potential
security
hazard
compared
to
SES
is
specified,
but
it's
an
explainable
security
hazard
and
I'm
willing
to
just
define
what
it
means
to
be
correct,
SES,
so
that
the
so
the
correct
ses
code
has
to
not
be
vulnerable
to
that
hazard.
This
talking
about
that
hazard,
that's
inconsistent
with
object
capability,
so.
C
If
you
know
they
get
a
reproach,
that
I
showed
it
basically
wraps
arrow
functions
that
points
to
the
export,
the
names
of
the
namespace
and
so
before.
Before
any
name,
any
means
paid
statements
execute
in
all
modules.
You
get
all
those
getters
that
refer
to
the
scoped
variables
that
will
be
exported.
I'm
designing
this
under
initially
under
the
assumption
that
if
any
of
those
getters
is
called
before
the
variable
declaration
or
the
whatever
declaration,
their
point
is
effectively
a
PDE
state,
then
calling
that
actually
throw.
B
So
that's
correct
that
that
the
getter
naturally
does
that
and
I
am
using
that
on
the
module
name,
space
object,
but
for
normal
import
I,
don't
want
to
fault
to
a
getter
I,
don't
want
to
fall
through
a
proxy
and
I.
Don't
want
to
rewrite
the
use
occurrences
of
the
variable
and
if
I
don't
rewrite
either
of
them,
then
I
can't
have
a
use
occurrence
of
the
variable
a
cause,
an
indication
of
together.
Okay,.
C
C
A
B
C
I
think
I'm
going
to
the
dead,
but
anyways.
So
here
we
have
to
let
I'm
just
saying
that
if,
in
my
module
body,
I
somehow
executed
code
on
an
unaware
to
the
loader
or
the
you
know
unaware
to
the
devices
of
the
module
system,
I
I
assigned
to
be
NS
or
X
or
W,
where
I
shouldn't
be
able
to.
It
actually
happened
in
early
implementations
and
browsers
where
you
could
import
something.
C
B
So
good
good,
so
there's
that
reminds
me
of
something
that
I
didn't
say:
it's
actually
very
important,
which
is
in
semantics
of
JavaScript.
It's
already
the
case
that
an
imported
variable
cannot
be
assigned
to
within
the
module
that
imported
it.
My
painting
is
a
read-only
view
and
that
the
variable
can
only
be
assigned
to
in
the
module
that
exported
it.
Therefore,
the
cursor
and
rewriter
is
in
a
position,
without
intermodules
an
ALICE
to
reject
any
code
that
attempts
to
assign
to
a
lexical
variable
that
that
who's
defining
occurrence
was
an
import.
B
B
Actually,
I
need
to
do
that
in
the
same
since
I
can't
emulate
directive
L.
Why
do
you
remind
you
me
that,
because
I
knew
that
that
there
was
something
else
I
needed
to
statically
reject
in
the
realm
shin,
because
I
couldn't
emulate
it,
and
that
was
it?
That
was
the
one
I
was
forgetting
so
we're
currently
already
statically
rejecting
the
realm
shim
by
a
conservative,
reg
ax,
the
import
expression
and
we're
also
rejecting
the
HTML
I'm.