►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
B
Okay,
so
what
I
found
in
implementing
just
the
interpreter
in
jessamine
is
that
there
are
some
cases
where
the
Jessie
module
semantics,
because
when
the
value
escapes
a
module,
it's
supposed
to
be
tamper.
Proof,
whether
that's
through
harden
or
whatever-
are
the
mechanism
mm-hmm,
it's
very
difficult
to
write
modular
code
that
actually
adheres
to
that
for
the
reason
that
some
things
that
are
intuitively
separate
modules
then
to
treat
each
other
as
aliens
and
you
can
really
pass
values
between
them.
Could
you
give
an
example?
B
I
give
an
example
right
here
so
in
the
Jessica
tree,
I
have
some
interpret
interpreter
utilities,
so
I
have
a
Jessie
interpreter
adjacent
interpreter,
just
an
interpreter,
all
of
which
extend
one
another
and
I've
started
that
some
utilities
that
are
common
to
all
now
the
difficulty
I
have
is
that
I
can't
write
a
do.
Eval
function
that
returns
a
value
because
it's
crossing
a
module
boundaries,
so
it's
its
return.
Value
has
to
be
ardent
or
temperate.
B
A
B
A
B
Is
the
tiny
okay
I'm
trying
to
import?
This
is
a
test
case.
It
doesn't
run
right
now
and
it's
basically
because
I
have
to
introduce
a
little
bit
more
indirection
in
my
treatment
of
references
so
within
the
interpreter
and
in
the
JavaScript
spec
spec.
There's
this
major
distinction
made
between
references
and
values
and
when
the
interpreter
handles
a
reference,
it
doesn't
have
to
actually
modify
that
reference.
It
can
just
use
functions
on
that
reference
to
do
things
that
make
sense.
A
B
A
B
A
So
the
the
what
I
had
in
mind
for
the
property
assignment
rules
of
Jessie
is
that
that
they
don't
that
they
can
be
that
with
the
static
Jessie
restrictions
that
you
can
only
do
that
to
non
aliased
variables,
essentially,
something
like
the
rust
ownership
rules
that
that
this
line
over
here
line
48
could
could
be
viewed
as
let's
make
a
new
object.
That's
like
the
old
objects
eped
that
the
value
of
it's
a
property
is
123,
as
opposed
to
whatever
the
original
state
of
abdu
is
so
the
absence
of
aliasing.
B
A
A
Out
here
is
1
2
3
wait,
wait,
wait
hold
on.
That
was
not
those
not
the
correct
statement.
Ok,
not
so
that
it
cannot
be
used
as
communication,
because
a
hardened
object
an
object.
This
tamper-proof
can
still
provide
today,
it's
so
that
it
so
that
so
that
it
can
be
defensive,
and
so
that
reasoning
about
the
Jessie
you
so
that
you
so
the
reasoning
about
stand-alone
Jessie
programs
that
you
can
reason
about
them
as
as,
if
objects
do
not
have
mutable
properties
and.
C
B
So
the
issue
here
is
this:
bit
of
code
is
not
just
JavaScript
code.
It's
code,
that's
being
interpreted
by
an
interpreter,
that's
written
in
Jessie,
okay,
so
it's
all
I'm
pointing
out
is
that
it's
difficult
for
Jessie
to
use
objects
directly
in
its
interpretation
when
those
objects
might
cross
Jessie
module
batteries
and
have
to
be
tamper.
Proof
along
the
way
Oh
in
here
yeah
and.
A
Objects,
the
same
representation
that
represents
the
object,
object,
the
you
know
in
that,
if
it
has
a
property
in
the
language
being
interpreted,
that
there
exists
an
object
in
the
interpreter
that
likewise
has
a
property
a
and
there
is
no
reason
for
the
interpreted
and
interpreting
language
to
be
literally
mapped
on
to
each
other.
In
that
way,.
B
B
A
So
let's
say
that
you
actually
that
would
that
we
actually
before
interpreting
the
code,
rewrote
it
into
the
representation
that
the
interpreter
is
going
to
act
on
where
line
48
was
rewritten
into
object,
with
a
a
replaced
by
an
a
with
this
123.
However,
you
want
to
write
that,
but
let's
just
invent
a
notation,
which
is
what
our
interpreter
is
going
to
be
operating
on,
where
objects
are
placed
in
place
with
a
new
object
that
has
an
a
property
where
there
are
no
dine.
D
D
What
I
would
suggest-
and
you
could
probably
go
back
over
the
video
later-
would
be
to
write
in
a
fairly
large
comment
block
illustrating
what
you're,
why
you're
writing
the
test
this
particular
way
and
and
and
do
to
continue
on
for
just
one
more
moment
your
code
comments
here,
you
you
don't
have
a
lot
of
them.
Obviously,
I
would
say
you
need
to
think
about
what
level
of
understanding
of
Jessie
is
Nessa.
A
In
line
48
and
a
Val
apply
style
met
interpreter
would
first
meta
interpret
the
expression
obj,
just
the
variable
reference.
So
the
question
is:
what
would
the
meta
interpreter
return
from
the
interpretation
step
where
it's
interpreting
that
variable
name
on
that
line?
If
it
is
returning
an
empty
object,
that's
already
hardened,
then
the
next
thing
which
it
needs
to
interpret,
which
is
the
assignment
to
the
property,
would
naively
fail.
We
would
fail
unless
we
do
something
special,
because
the
interpreter
itself
was
already
cano.
C
So
you
you
you're
new,
you
applied
eval
to
merely
the
expression,
obj
right
and
special,
that's
yeah,
and
and
that
return,
because
it's
because
it's
it's
so
it
returned
a
hardened
version
of
that
which
you
now
cannot
assign
the
property
a
because
it's
it's
hardened,
yes,
okay,
I
got
it.
Okay,
that's
not
so
I'm
mark
I
was
I,
was
treating
the
eval
as
being
applied
to
the
entire
block,
and
I
was
thinking.
So
what's
the
what's
the
issue
here
right.
B
C
E
B
What
I
came
up
with
in
them
working
on
now
is
I
can
actually
use
objects
as
closures
and
instead
of
returning
the
direct
object,
return
something
that
I
can
set
its
property
he's
with
and
then
when
it,
when
it
actually
escapes
and
escape
as
designated
by
in
slated.
In
this
case,
we
can
talk
about
that
some
other
time,
but
when
it
actually
escapes
is
when
it
gets
converted
into
the
insulated
proper
object.
As
opposed
to
me
when
we
were
manipulating
inside
the
function.
A
But
I
still
don't
see
how
to
write
the
interpreter
right.
I
mean
how
do
you
write
the
eval
I
mean
the
eval
is
still
returning
value.
The
static
rules
would
presumably,
in
you
know,
insist
that
eval
wrapped
insulate
around
its
return
and
they
get
slated
by
the
time
that
Audrey
gets
returned.
You
have
the
same
problem.
Well,
if
your.
B
This
is
where
the
in
sleep
idea
helps
more
than
harden.
Does
what
in-state
provides
is
a
proxy
that
the
that
the
receiver
of
an
object
cannot
be
attained,
its
properties?
Okay.
So
when
it
gets
returned
to
the
evaluator,
though,
the
evaluator
is
the
one
who
created
it,
it's
living
online
boundary
of
the
inside,
so
it
can
be
by
the
evaluator.
A
B
So
this
was
a
probably
highly
in-depth
reason
for
introducing
enslave,
but
it
it
it
illustrates
one
of
the
properties
that
insulate
has
that
helps
me
in
this
case.
So
basically,
the
idea
behind
insulate
is
that
we
say
objects,
don't
pass
the
barrier
between
the
warmth,
one
side
and
the
cold
side
unless
they
also
are
insulated.
B
Okay,
so
it's
not
quite
symmetric
in
that
there's
a
difference
between
the
warm
side
coming
to
the
cold
side
and
the
cold
side
going
to
the
warm
side.
But
what
it
does
do
is
it
is
a
orthogonal
to
harden
and
object
freeze.
So
if
you
freeze
an
object
on
one
side,
you're
not
really
doing
anything
bad
because
then
that
object
is
frozen
it
for
you
to
and
if
you
pass
it
into
the
inside
function.
It's
just
the
same.
Okay,.
B
D
A
B
D
A
B
I
make
an
error
here.
Just
so
I
can
see
where
in
Slade
was
called
in
the
first
place,
and
then
I
have
the
two
week
maps
from
the
warm
to
the
cold
side
in
the
cold
to
the
warm
side,
and
they
are
treated
equivalently
in
the
sense
that
we
don't
want
to
escape
from
the
cold
side
and
at
the
same
time
we
don't
want
infiltration
from
the
cold
side
to
the
one
side.
Okay,
so
we
have
them
in
a
certain
order.
B
We
say:
one
side
is
one
of
my
site
is
cold
and
those
become
the
end
of
the
up
maps.
So
when
we
say
we're
sending
out
something,
then
we
check
to
see
if
it's
already
been
wrapped
by
us
and
return
it
if
it
is
and
likewise,
if
it's
already
been
wrapped
anywhere,
then
we
don't
insulate
it
again.
There's
some
one
one
layer
of
insulation
is
enough
for
anything
mm-hmm,
and
then
we
have
entering
leave
functions
here.
B
So
when
an
in
Bob
ject
enters
us,
then
we
wrap
it
with
the
maps
saying
the
inside
inside
map
is
the
outside,
and
the
outside
map
is
the
inside.
So
we're
reversing
the
order
of
the
mapping
when
it's
inbound,
okay
and
when
the
sleeping,
then
we
when
we
wrap
it
in
the
order
that
we
are
in
right
now,
uh-huh,
that's
completely
arbitrary.
They
just
have
to
be
opposite
right.
C
B
A
A
A
B
A
A
Look
look
at
so,
let's
start
with
the
assumption
that
the
answer
we
got.
The
answer
we
want
is
yes,
that
anyone
with
access
to
an
arc
to
an
object
can
harden
it
and
that
the
default
behavior
can
try
to
harden
it
and
the
default
behavior
or
the
behavior.
In
the
absence
of
AI
user
code,
using
proxies
to
avoid
being
hardened.
A
A
A
A
B
That's
okay!
That's
that's
easy
enough
to
work
with
what
what
I
was
basically
heading
towards.
Is
that
when
I'm
dealing
with
an
object,
that's
being
prepared,
as
opposed
to
delivered,
whether
it's
being
delivered
by
being
insulated
or
whether
it's
being
delivered
by
being
hardened
those
those
functions
specifically
like
the
object
that
freeze
as
well,
which
forced
the
freezing
of
the
object.
A
A
A
But
the
proxy
prevent
the
proxy.
If,
if,
let's
say
ask
is
frozen,
we'll
say
no,
but
if
an
attempt
is
made
to
mutate
or
extend
the
object,
the
proxy
will
refuse
to
do
so.
So
it
has
all
of
the
defensive
nosov
a
hardened
object,
except
that
it
does
not
claim
to
be
hardened
and
it's
more
like
a
read-only
view:
okay,
okay,
good
good!
That's
alright!.
B
A
B
A
So
if
you
can
certainly
create
a
proxy
that
does
that,
in
addition,
there
is
this
very
very
weird
case,
that
of
the
the
the
window
proxy
object
in
the
browser
where
this
this
issue
exactly
does
come
up
the
because
the
frame
may
get
navigated
and
the
window
proxy
maintains
its
identity.
It
represents
all
properties,
has
configurable.
So
it's
not
writable
true.
So
much
is
configurable
true,
but
it's
it's.
A
A
A
But
still
the
I
mean
the
problem
with
allowing
any
object.
Any
object
at
all
that
breaks
the
object
invariance
is
that
the
mechanism
for
enforcing
the
object
invariants
on
a
proxy
relies
on
the
object,
invariants
already
being
enforced
on
the
proxy
shadow.
If
there's
any
object
that
that
can
violate
the
object
invariance,
then
you
can
create
a
proxy
that
uses
the
violating
object
as
its
shadow
and
then
use
that
to
create
a
proxy
that,
in
turn
violates
the
object.
Invariance.
B
D
B
D
Yeah
with
apply
and
construct
in
particular,
with
applying
construct
in
particular
you've
got
a
you've,
got
a
problem.
Both
ways.
You've
got
a
handle,
wrapping
arguments
incoming
and
count
and
counter
wrapping
arguments.
Outgoing
and
I'm
just
want
to
make
sure
you've
done
that
I,
don't
know
if
you
have
so.
B
A
Have
a
worry
about
a
possible
confused
deputy
on
the
enforcement
mechanism
here,
let's
to
go
back
to
the
objects
ample,
so
let's
say
that
object
from
the
function
being
interpreted.
Let's
say:
let's:
let's
go,
you
know,
let's
not
just
say
that
you
create
object
or
not,
and
then
it's
some
and
then
and
then
the
I'm.
Sorry,
let
me
let
me
well
I'll
just
I'll
just
speak
a
new
example
from
scratch.
Would.
B
A
Objets
exactly
that's
perfect.
This
is
this
is
the
example.
I
wanted
to
examine
so
so
you're,
insulating
the
so
so
make
objects.
Elating
is
a
read-only
view
of
the
underlying
empty
object
and
then
the
you're
making
a
so.
Let's
say
that
both
of
these
functions
are
being
interpreted
by
the
same
interpreter
mm-hmm,
so
the
cement
we
online
57
the
the
dot
a
assignment
right.
You
want
the
you
you're
trying
to
create
a
situation
with
the
dot.
A
assignment
online
48
would
succeed
and.
A
A
A
Ok,
this
so
there's,
ok,
so
so
I
understand
good,
so
I
understand
how
this
one
avoids
the
confused
deputy.
Now,
let's,
let's
do
a
modification
of
this.
So
why
don't
you
go
ahead
and
copy
lines?
51
53,
through
line
61.
A
A
A
Objet
rid
of
the
rest
of
that
between
line
64
and
65
hoo,
so
I
want
to
I
want
to
return
to
things
so
go
ahead.
The
screen
said
between
64
and
65,
say
Const
FN,.
A
B
A
Okay,
so
now
the
question
is
since
thin
is
within
the
same
insulate.
Presumably
even
after
both
object,
fin
have
been
returned.
Fin
can
be
used
to
modify.
A
A
The
difference
is
that
that,
in
the
originally
intended,
jessi
semantics,
once
the
object
escapes
its
properties
were
no
longer
supposed
to
be
mutable,
and
by
doing
this
read-only
view
thing
you're,
not
putting
a
temporal
constraint
on
mutability
you're,
putting
purely
a
spatial
constraint
on
mutability,
which
is:
are
you
going
through
the
read-only
view,
or
are
you
within
the
insulate
and
you
know,
is
mike?
I
mean
it's
it's
worth
examining.
This
is
a
coherent
design.
It's
just
not
the
design
that
I
had
in
mind.
D
A
There
is,
as
opposed
to
I,
just
I'm,
just
had
to
be
very,
very
picky
about
this
terminology
as
opposed
to
a
frozen
object,
because
the
object
can
still
contain
functions
that
have
that
that
have
closed
over
state
like
assignable
lexical
variables.
So
it's
not
immutable,
but
its
properties
are
on
the
are
okay.
C
Fair
enough,
but
but
I
don't
think
that
affects
the
fundamental
pointer
question
in
this
thing
out,
which
is,
if
you
have
the
notion
of
a
read-only
view,
the
the
idea
of
it
being
read-only
as
opposed
to
being
frozen
or
amenable.
Is
that
the
visible
state
you
can
see
through
the
read-only
view
might
change
between
one
time
when
you
look
at
it
at
a
later
time,
I
thought
not
naught
cannot
be
changed
directly
by
you.
Through
that
view,
maybe
somebody
else
someplace
else
who
can
change
it
right,
clear.
C
Once
you've
done
is
exposed
through
the
read-only
view,
you
have
exposed
a
function
which
can
modify
something
that
you
want
the
read-only
view
of
yes,
but
that
doesn't
seem
cat
aurélie
different
from
something
which
can
modify
the
state
of
the
thing.
You
have
read-only
view
of
that
you've
got
through
some
other
pathway.
A
Right
I
mean
there's
the
the
FN
does
not
make
this
notion
of
read-only
view
incoherent
and
it's
it's
not
actually
a
confused
deputy
right.
It's
it's
an
explicit
authorization.
Yes,
because.
A
Right
FN
was
created
as
a
creature
in
the
environment
where
it
had
a
right
to
do
the
modification
right
and
now
you
have
through
the
read-only
view
you,
you
have
been
given
the
right
to
invoke
that
creature,
explicitly
where
the
invocation
is
not
an
action
that
the
read-only
view
is
supposed
to
attenuate.
So
there's
thought:
there's
no
contradiction
right.
C
A
C
A
Certainly
it
is
allowed
in
SES,
because
there's
nothing
in
this
that
can't
be
implemented
in
SES
right,
SES
does
have
proxies.
You
know,
does
have
everything
needed
to
bring
this
about,
so
can't
be
disallowed.
It's
at
the
Jesse
level.
There's
a
question
about
which
language
is
it
that
is
considered
to
be
the
subset
of
SES?
Is
it
the
language
with
the
if
the
if
the
met
interpreter
is
inserting
the
insulates
in
the
interpreter.
A
A
A
A
So,
just
very
concretely,
if
I
say
Const
find
equals
no
insulate
of
stuff
and
cotton,
then
semicolon
cost,
except
because
insulated
stuff
versus
I
said
Const
open
square
bracket
find
comma
except
close
square
bracket,
equals
insulate
opening
square
bracket,
stuff
kind,
comma,
stuff,
close
square
bracket
closed
paren.
In
the
second
case,
they
would
be
within
one
insulate
and
could
thereby
have
usually
mutating
access
to
each
other
and
within
your
rules,
I
would
still
be
allowed
to
write
that,
but
I
would
have
to
explicitly
write
it.
C
B
C
A
A
Yeah,
okay,
the
herdin
would
actually
freeze
the
properties
themselves,
whereas
insulate
is
binding
find
to
a
read-only
view
where,
within
the
read-only
view,
there
might
be
some
functions
that
mutate,
the
that
you
take
properties
of
other
things.
Within
the
read-only
view,
it
seems
to
me
much
harder
to
statically
to
figure
out
what
further
static
rules
I
need
to
impose.
So
that
find
is
not
just
insulated
but
actually
cure.
A
B
A
A
B
A
A
B
I'm
Jay
just
follow
we're
still
ruminating
a
little
bit
zip
back
over
to
insulated
implementation,
as
the
punchline
is
left.
Ok,
so,
basically,
after
the
construction
of
the
proxy,
let's
recall
the
insulator
value
we
added
tore.
We
come
out
saying
that
it
is
insulated,
so
nobody
else
has
to
and
oh
this
is
the
part
that
I
want
to
get
to
right
in
here
in
the
apply
method.
C
A
A
A
Okay,
okay
got
it
so
this
means
that
this
means
that
that
okay,
so
the
static
rule,
ensures
that
there's
always
an
insulate
bandar-e
between
Jesse
and
SES,
correct
and
therefore
SES
code
that
can
mention.
This
cannot
trick
jesse
code
into
revealing
something
inappropriate
because
of
a
despondent
yeah.
B
B
A
A
Just
because
they
got
it
some
other
way,
just
because
one
part
of
the
program
having
gotten
it
one
way
doesn't
mean
it's
okay,
for
it
to
week
that,
through
an
abstraction
that
didn't
think
it
was
leaking
something
dude.
Another
part
of
the
program
that
obtains
it
right,
part
of
the
point
of
the
defensively,
consistent
abstraction,
is
that
two
clients
of
the
abstraction
cannot
charity.
Abstraction
can
only
interact
with
each
other
according
to
the
the
semantics
of
the
abstraction
and
if
they
can
abuse
the
abstraction
to
leak,
a
value
from
one
to
the
other.
A
A
A
A
C
A
Okay,
so,
first
of
all,
just
the
just
as
a
reminder,
the
general
Jessie
versus
SCS
this
binding
hazard
would
be.
Let's
say
that
my
favorite
example
is,
let's
say:
you're
writing
an
observable
Jessie
and
the
observable
has
a
list
of
listeners
and
it
registers
in
that
list
of
listeners
a
function
and
then
the
thing,
the
event
that
the
listeners
are
listening
for
happen
so
that
the
what
the
observers
employ
does
is
just
says.
A
You
know
for
I
equals
0
to
n
minus
1,
a
list
of
listeners,
open
square
bracket,
I
close
square
bracket,
open
paren
notification
arguments
closed
paren,
so
it
just
loops
through
the
array
invoking
each
of
the
listeners,
which
is
just
a
function
invoking
them
to
notify.
Now,
if
the
listeners
themselves
are
all
written
in
Jessie,
there's
no
problem,
because
all
they
get
are
the
arguments.
A
If
the
note,
if
the,
if
the
listener
is
written
in
SES,
then
it
can
be
a
function
that
mentions
this
and
the
syntax
array
open
square
bracket,
I
close
where
bracket
open,
paren,
args,
close
paren,
will
provide
the
array
itself
as
a
this
binding
to
be
taken
as
a
dis
binding
to
the
invoked
function.
So
right.
So
what
Michael
just
wrote
online
126
the
if
the
function
looked
up,
is
written
in
SES.
It
can
capture
the
array.
C
A
A
In
both
cases,
the
insulate
call
explicitly
appears
in
the
source,
and
therefore
it's
part
of
the
membrane
that
gets
put
in
place
is
can
can
can
impose
changes
that
are
not
equivalent
to
the
membrane
not
being
there
and
are
not
a
subset
or
something
other
than
a
subset
of
what
would
happen
with
the
membrane
not
being
there
such
as
replacing
the
this
value
in
the
membrane
crossing
invocation
with
undefined.
So.
C
So
could
you
replace
line
130
instead
of
saying
this
Arg
equals
undefined
I
say
this
Arg
equals
insulate
this
heart.
B
C
C
C
B
B
A
B
A
C
A
A
But
then,
if
we
want
to
allow
the
static
well,
that's
I
mean
it's
it's
a
smaller
and
more
discipline
language.
If
it
doesn't,
if
the
static
rules
don't
make
the
sources,
look,
unpleasantly
more
verbose
or
or
or
harder
to
read.
I
still,
don't
see
a
good
motivation,
starting
from
Jessie
for
wanting
to
introduce
dynamic
property
assignment
to
alias
objects.
A
A
But
the
idea
was
that
something
like
the
the
rust
static
ownership
rules
or
linear
variable
rules
or
something
be
part
of
the
static
analysis,
so
that
on
on
line
48
that
that
that
assignment
to
a
would
only
be
allowed
in
the
original
Jesse.
If
it
was
known
that
object.
Is
that
the
value
that
object
that
object
at
that
point
so
that
you
could
consider
it
equivalent
to
a
line
that
replaces
object.
That's
just
like
the
original,
except
that
it
has
an
a
property
with
value,
123
and
and
the
meta
interpretation
dilemma,
but
Michael
is
raising.
A
My
suggestion
was
that
one
way
to
deal
with
that
without
moving
insulate
into
the
interpreter
in
a
problematic
way
is
to
first
rewrite
that
into
such
modification
code
before
passing
it
to
the
meta
interpersonally.
The
meta
interpreter
is
met,
interpreting
a
language
that
in
which
the
node
Haitian
of
property
assignment
no
longer
appears.
A
B
A
A
D
A
B
Okay,
so,
regardless
of
the
merits
of
insulate
or
not,
we
still
need
something
to
reject
fit.
A
Mean
you
know
if
we
want
to
you
know
if
we
want
the
original
Jesse
goals,
which
I
think
I
do
want
mmm-hmm,
but
but
you
know
the
the
the
semantics
that
you're
proposing
here,
where
you
allow
fin
but
and
the
insulates
provider
read-only
view
are
interesting.
I
certainly
am
NOT.
You
know
don't
want
to
to
reject
it
within
the
first
two
hours
of
ever.
Having
heard
about
it,.
B
Yeah
and
there's
nothing
saying
like
I
did
have
so
when.
E
A
A
No
part
of
my
orientation
about
this
comes
from
in
you
know.
In
my
ear
language,
I
had
assignable
variables
and
objects
as
closures
and
no
records
per
se.
The
concept
of
a
object
as
a
as
a
closure
like
thing
that
did
method
dispatch
on
method
invocation.
That
was
the
primitive
but
was
not
built
out
of
records
of
functions.
A
The
the
the
object
with
method,
this
faction
and
invitation
was
a
primitive
notion
and
there
was
no,
and
there
was
therefore
no
sense
of
it
being
in
that
the
methods
were
properties
where
the
properties
might
change
over
time.
So
all
of
the
mutability
was
through
either
assignments
to
variables
or
through
primitive
mutable
objects
like
maps
and.
A
The
reason
why
I
so
so
as
far
as
sort
of
enabling
you
like
programming,
you
wouldn't
even
allow
things
like
line
48
in
the
first
place,
and
the
reason
why
I
thought
to
allow
it
is
that
in
JavaScript,
there's
one
often
writes
initialization
code
before
releasing
an
object.
You
know
within
the
equivalent
of
an
object,
constructor
and
sort
of
incrementally
putting
the
thing
together
before
releasing
it
to
potential
clients
and.
A
Right
right,
if
you
want
a
function
with
properties
yeah
only
what
without
introducing
some
helper
functions,
the
only
way
to
do
that
directly
in
JavaScript
notation
is
to
use
a
property
assignment
of
some
sort
and
the
most
natural
way
to
do.
It
is
to
just
use
the
property
assignment
syntax
and
under
the
static
rules.
I
had
in
mind.
A
C
A
No,
it
would
still
be
fine
because
that's
done
by
lexical
scope
and
all
the
functions
captured.
All
the
functions
that
are
conveyed
from
odd-job
prime
would
have
been
defined
in
that
lexical
scope
and
therefore
we'd
still
be
able
to
manipulate
that
same
private
state.
The
private
state
would
be
preserved.
A
B
A
B
F
C
F
F
You
are
kind
of
giving
like
if
we're
going
to
be
talking
about
like
SNS
and
the
browser
we
want
to
talk
about
how
we're
going
to
cause
none
secure,
or
you
know,
code
code
not
blessed
to
actually
execute
and
trusted
types
can
be
a
method
to
do
that.
The
other
idea
was
to
scrub
all
code
in
the
service
worker
or
to
scrub
all
code
manually
to
prevent
access
to
resources
that
are
not.
F
You
know
on
the
whitelist
to
be
accessed
by
that
particular
page.
So
so
you
know
I'm
trying
to
find
a
balance
between.
If
we
go
the
Service
Worker
route
or
if
we
go
the
manual
scrubbing
route,
then
we
need
to
parse
things
or
at
least
rely
on
ways
to
manipulate
or
catch
all
imports
and
and
other
kinds
of
statements
that
could
actually
load
the
resources
externally.
A
A
F
Yeah
I
think
it's
a
little
premature
from
my
end,
I
was
hoping,
maybe
others
had
some
more
input
on
this,
and
that's
why
I
was
like
bringing
that
up
for
today.
But
if
it's
too
early,
you
know
to
have
that
discussion.
I
think
we
can
just
table
it.
C
I
don't
know,
I
haven't
found
anything
that
really
affects
my
thoughts
on
things
from
trusted
types.
It
looks
like
it's
just
an
integrity
feature
to
me,
similar
to
ESPYs
different
kinds
of
integrity
features,
but
this
time
it's
programmatic
instead.
C
F
C
What's
objectionable
about
it
right
now,
we
have
the
ability
to
generate
strings
already
and
send
them
to
evaluators.
This
is
somewhat
similar
in
nature.
To
that
most
evaluators
currently
also
do
to
string
anyway,
so
they
could
do
something
similar
by
making
a
semi
opaque
type.
That
has
a
two
string
that
does
something
similar
in
nature.
F
So
so,
if
we
are
going
to
you
know,
if
we
are
going
to
censor
what
content
can
actually
be
injected
in
the
Dom,
then
we
will
have
to
hook
into
every
single.
You
know,
method
on
the
HTML
element
prototype
to
sit
through
what
content
goes
into
whatever
part
of
the
Dom
before
it
goes
in
may
be.
Trusted
types
would
actually
be
a
way
to
not
have
to
give
you
that
all
that
work
manually,
because
they
would
actually
be
doing
it
so
that
when
you
attend
content,
it
actually
gets
censored
at
those
things.
F
A
So
there
so
there's
really
there's
two
two
interesting
questions
here,
which
is
in
what
way
the
trusted
types
present
an
opportunity
so
that
our
desires
for
secure
programming.
Can
you
easy,
for
example,
that
we
can
create
a
confined
I
frame
where
we
can
give
untrusted
code
direct
access
to
Dom
elements,
because
we've
turned
on
this
credit?
These
trusted
type
controls
to
prevent
injection
of
Laureles
or
scripts
and
then
separately.
There's
the
question
of:
are
you
separately?
F
Iii
think
that
the
way
it
it
it
appears
that
you
couldn't
manipulate
content
going
through
a
sink
then
it
could
be
when,
when
a
particular,
let
me
find
an
example
on
this
packet
yeah
create
script,
URL,
someone
just
changing
a
URL,
so
that
a
module
would
be
substituted
with
another
module
that
fulfills
the
same
interface
expected.
But
actually
you
know,
doesn't
guard
against
or
actually
does
something
that
you,
you
know
exposes
something
that
should
not
have
been
exposed
by
the
original
module.
A
F
If
there's
a
like
a
simple
module
that
it's
ports
function,
it's
it's
meant
to
be
a
one-way
function,
for
instance,
and
you
call
that
function
and
stuff
goes
in
and
normally
it
wouldn't
it
wouldn't
leak
elsewhere.
But
then
because
they
they
catch
the
script
URL.
They
don't
divert
it
to
another
module
that
basically
replaces
that
function
with
console.log.
F
C
A
So
so
the
issue
is
where,
where
do
you
have
to
stand
in
order
to
do
this
kind
of
intervention?
And
as
long
as
you
know,
you're
the
it's
only
code,
that's
legitimately
in
a
controlling
position
over
other
code
that
gets
to
do
this
intervention
in
the
only
code
that
it's
supposed
to
be
controlling.
Then
it's
an
asset.
But
if
this
intervention
can
be
done,
one
code,
that's
not
supposed
to
be
able
to
be
controlling,
then
it
would
be.
Then
it
would
be
enabling
an
attack.
F
Yeah
so
definitely
I,
like
I'm,
really
interested
in
this
being
an
asset
as
we
aim
forward
and
if
it
can
give
us
the
kind
of
control
we
need
to
avoid
having
you
know
to
actually
do
any
code,
manipulation
manually.
That
would
be
great
but
worst
case
scenario.
If
that
is
not
the
case,
then
I
think
coming
up
with
a
detect.
Whether
or
not
trusted
types
is
not.
You
know,
superseded
by
other
code,
like
other
code
has
Authority
there,
which
shouldn't
there's
a
way
to
detect
that
trusted
types
are
not
being
used.
F
A
F
These
are
all
like
I
think
important
questions
that
are
coming
up
because
of
this
that
you
know
like
I,
don't
know
the
answers
to
them,
but
I
think
it's
worth
you
know,
keeping
an
eye
on
out
or
if
someone
you
know
is
more
familiar,
I
think
with
with
with
that
area,
you
know
it
would
really
I
don't
know
like.
Maybe
we
can
talk
about
it
when
it
becomes
more
clear,
I
guess.
A
A
In
shape
likewise
I
see,
we
have
to
the
self
course
guys
here
and
Manuel.
Likewise,
I.
Imagine
that
this
issue
comes
up
for
them.
Do
you
enable
do
you
enable
the
code
or
you
plan,
to
enable
the
untrusted
code
that
you
load
it
into
a
SES
compartment
to
have
some
virtualized
form
of
trusted
types
not
create.
E
E
Well,
I,
don't
wanna,
you
know
misrepresent
what
the
the
point
was
having
in
how
we're
solving
them.
It
would
be
ideally
more
of
a
something
I'd
be
more
comfortable,
jf2
answer,
but
let
me
tell
you
that
this
everything
I've
been
hearing
this
meaning
is
very,
very
familiar
to
us,
and
let
me
tell
you
one
conclusion:
we're
reaching
in
this
very
high
level,
but
I
hope
it's
going
to
maybe
answer
a
little
bit
your
question.
E
We
are
coming
to
the
conclusion
after
trying
a
few
approaches
that
we
want
to
actually
go
back
or
take
on
the
I
frame
semantics
for
the
way
we
want
to.
You
know,
share
code
and
data
from
one
what
we
call
namespace
to
another
because
in
our
in
our
case
it's
named
namespace
namespace
security.
What
we
want
to
achieve-
and
so
we
were
very
granular
earlier
in
our
in
our
earlier
versions
like
what
we
have
today
and
it's
just
very
pragmatic.
E
It
gets
convoluted
and
all
that,
but
we
found
that
the
I
friend
semantics
are
maybe
something
we
want
to
go
back
to
so
at
a
high
level.
Then,
when
you
want
to
share
code
from
ones
main
space
to
another,
you
input
the
code
and
the
code
runs
in
the
names
in
the
namespace,
where
you
did
the
import
and
if
you
want
to
share
data
from
one
namespace
to
another,
it's
very
much
like
sharing
data
from
an
iframe
to
an
iframe.
E
We
are
going
to
implement
something
similar
to
the
post
message:
semantics,
meaning
when
you
want
to
send
something
data
out
of
your
namespace
you're
gonna
have
to
like
really
clone
it
right.
It's
not
a
reference,
it's
not
something!
You
can
then
pull
it
on
the
other
side,
so
very
high
level.
This
is
this
from
my
answers.
I
don't
know
this
is
really
useful,
but
it's
kind
of
the
problems
we're
dealing
with
and
that's
how
we
are
thinking
of
approaching
them
and
we're
still
in
the
middle
of
all
this.
It's
not
like.
We
have
final
results.
E
A
A
A
Particularly,
the
system
has
access
to
the
actual
Dom
knows
of
the
frame
that
it's
running
them,
but
the
untrusted
guest
code
is
never
given
direct
them
access.
It's
only
given
emulated,
Dom
access
is
all
of
that
is
there's.
All
of
that.
Does
that
all
of
that
so
far
correspond
to
to
to
your
sense
of
what
the
cells
first
mechanism
is
there
yeah.
E
This
is
this
is
what
the
that
corresponds
to
what
the
Salesforce
mechanism
is
doing
today
and
what
I
meant
to
say
earlier
is
that
we
found,
after
some
time
of
doing
it
like
that,
that
it's
convoluted,
problematic
leaky
and
so
it
and
again,
this
is
my
understanding.
Let
me
tell
you
something
from
the
time
I
mean
I
being
itself,
for
is
that
we
want
to
go
to
a
newer
version
and
this
in
we're
calling
a
65
version
of
our
rockered
product
where
Locker,
if
you
have
cold
inside
I'm,
gonna
use
this
words.
E
E
Limitation
so
like
like
what
you
said
right
that
yeah
you
import
this
code
and
this
code
cannot
have
access
to
my
demands
from
that.
But
again
it's
been
it's
being
really
really
problematic
to
work
with,
so
we
want
to
simplify
it
and
go
more
back
to
the
basics,
so
I'm
talking
about
the
future
and
you're
describing
the
present
okay.
A
E
E
So
it's
it's
a
two-way
trust
that
we
are
thinking
of
establishing
and
then
there's
very
you
know
do
only
within
the
box
of
the
iframe.
Then
you
have
the
limitation,
but
you
know
that
the
untrusted
code,
you
know
once
you
import
that
can
access
anything
you
have
in
your
in
your
Dom
need
a
friend.
F
I
could
I
eat,
just
maybe
just
say,
like
I
talked
with
Michael
fake
a
couple
of
days
ago
about
a
service
worker
list
approach
for
Jessica
free,
and
we
basically
talked
about
this
kind
of
a
membrane
concept,
but
I
mean
Dom
DOM
wise.
We
are
compartmentalizing,
the
DOM
Jesse
Dom,
you
know
dumb
bound.
A
program
would
actually
be
allowed
to
access
and
we
are
saying
that
this
is
the
compartmentalize
Dom,
for
that
particular
widget.
F
We're
just
calling
it
a
widget,
because
it's
a
Jesse
module
that
actually
has
a
UI
and
and
that
falls
under
widget
and
the
other
categories
that
are
without
a
UI
are
are
basically
you
know
the
other
forms
of
extensions
that
you
could
import
by.
Having
that
division
of
of
the
code
we
are
able
to,
you
know,
worry
about,
you
know
instantiating
the
Dom
based
container
for
a
widget
by
wiring,
the
Global's
or
the
modules
that
can
import,
and-
and
you
know
we
worry
about
the
containment
at
that
level.
F
A
Guys
it
is
now,
after
three
and
in
order
to
you
know,
keep
with
the
precedent
of
adapting
to
people's
desire
to
schedule.
These
meetings
I
think
I'm
going
to
go
ahead
and
adjourn,
but
you
know,
let's
remember,
that
we
have
some
some.
You
know
open
questions
and
issues
here
and
to
be
to
continue
to
be
resumed.
But
next
meeting
the
priority
will
be
the
Patrick
Soquel
from
moddable
talking
about
the
safe
module
system
that
they've
come
up
with
for
SES.