►
From YouTube: SES-mtg: Node policy files. MetaMask kowtow. tc39 prep.
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
It
does
have
some
implications
but
nobody's
blocking
it
so
far.
So
if
nothing
happens,
it'll
probably
be
merged
into
the
experimental
flag
in
a
week
or
two.
We
also
opened
up
another
PR
for
fixing
a
problem
where,
if
somebody
modified
a
policy
on
disk,
we
didn't
have
a
way
of
mitigating
and
preventing
node
from
running.
A
B
C
B
Require
you
to
specify
an
absolute
location,
the
absolute
location
actually
should
be
covered
by
the
policy
itself,
since
the
policy
covers
all
possible
things
that
could
be
loaded
through
the
loader.
If
you
try
to
load
in
an
alternate
location
by
injecting
something
onto
the
file
system
or
something
like
that,
it'll
already
fail.
So,
okay.
B
So
a
policy
file-
this
is
a
big
JSON
blob.
It's
got
a
bunch
of
resources.
We
have
a
CLI
tool
to
make
this
easier,
but
this
is
a
good
example
policy.
We
have
a
main
file
and
we
have
an
empty
file.
The
main
file
has
a
specific
set
of
Integrity's
as
long
as
one
are
matched
it's
considered
valid,
so
he
also
has
an
integrity
check
in
here.
If
you
don't
include
an
integrity,
it's
not
going
to
load.
If
you
don't
include
these
dependencies
hash,
you
can't
import
or
require
anything.
B
However,
there
is
an
exception
to
this
if,
instead
of
loading
FS,
which
is
a
built-in
where
to
load
some
third-party
modules,
say
browserify
and
you
specify
the
value
true,
which
essentially
says
give
me
the
unattenuated
form
you
don't
need.
You
are
not
specifying
the
absolute
location
of
that
within
this
dependencies
dictionary
because
of
that
we
will
load
it
from
any
location,
that's
valid
within
the
policy
as
a
whole.
So
a
policy
as
a
whole
treats
resources
is
having
a
location
and
integrity
pair
in
order
to
load
browser
file
in
this
manner.
B
This
inserts
that
the
for
JavaScript
this
is
a
checking
that
the
source
text
matches
some
sub
resource
integrity.
Stream,
sub
resource
integrity
strings
are
standard
for
the
web.
Basically,
they
allow
you
to
have
a
series
of
different
hashes
associated
with
an
algorithm
and
if
any
one
of
these
hash
algorithm
pairs
matches
the
contents,
a
location,
then
that
location
is
considered
having
that
integrity.
So
if.
B
So
because
there
are
some
paths
searching
mechanisms
within
node,
you
can
actually
exploit
things
regarding
this.
This
is
actually
an
OAuth
vulnerability
as
well.
So
a
wasp
has
this.
As
one
thing,
you
can
kind
of
see
it
as
similar
to
symlink
stuff,
where
you
can
actually
inject
something
and
intercept
the
resolution
or
delete
something
from
path
and
cause
it
to
cascade
to
a
path
in
a
different
location.
B
If
I
replace
that
module
with
another
valid
source
text,
that's
listed
in
the
policy
and
I
do
not
assert
its
location,
then
I
could
have
something
like
a
JSON,
parser
or
no
opping
polyfill,
essentially
replace
that
hardening
API
and
it
no
longer
acts
within
the
application,
because
I
haven't
asserted.
The
location
is
also
correct.
So
this
is
a
bug,
so
there
is
a
very
popular
library
helmet.
We
have
this
discussion
with
day
on
a
long
time
ago
on
these
meetings,
where
intrinsic
is
doing
checks
purely
based
upon
the
integrity.
B
A
B
C
A
C
C
A
C
A
A
So,
if
that's
what
you
mean,
then
I
still
don't
understand
the
AHA.
The
thing
that
I
would
think
I
care
about
is
the
association
of
specifier
named
to
integrity
hash.
So
the
specifier
name
is
the
local
namespace,
the
namespace
that
relates
to
you
know
how
modules
name
other
modules,
but
the
location
out
there
on
the
web,
where
the
text
is
fetch
from
I
still
don't
care
as
long
but
but
I
did
but
I,
but
I
don't
care
about
it.
A
A
A
B
A
A
Be
one
location
requested
right,
okay,
but
it's
also
it
doesn't
have
to
do
with.
You
know
we're
on
the
web.
You
got
it
from
it
has
to
do
with
the
specifier
namespace
it
has
to
do
with.
You
know
what
what
names
module
used.
You
modules
use
to
talk
about
other
modules
and
then
how
that's
map
through
the
policy
file
where
we're
out
in
the
world.
You
got
the
bits
from
those
should
not
matter
correct.
A
A
B
This
API
needs
to
be
changed,
so
it's
callable
but
I
mean
there's
a
bunch
of
ways.
You
can
avoid
this
you've
taken
the
nine
module
and
replaced
a
important
security
module,
and
since
we
don't
have
a
location
according
to
this,
it
passes
policy
checks
if
we
don't
associate
location
and
integrity.
Okay,.
A
The
reason
this
would
fail
the
kind
of
local
integrity
check
that
I
have
in
mind
is
the
local
integrity
check
would
associate
local
names.
What
that
you
know
what
the
specifier
names
like
the
dot
Hardin
Jas
would
associate.
I
mean
the
dot
slash,
harden
Jas
would
associate
that
with
a
hash
and
since
benign
doesn't
have
that
hash,
it
would
fail.
So
the
integrity
check
that
I
have
in
mind
would
still
protect
us
against
this
attack,
even
though
both
both
hashes
themselves
appear
in
integrity.
B
If
you
could
go
over
a
bunch
of
things
with
me
and
some
example
cases,
we
could
discuss
that.
It
may
be
some
other
time,
but
that's
kind
of
out
of
this.
For
now
we
don't
do
that.
We
can
change
that
I,
don't
see
a
problem
if
I
find
it
compelling
for
now
what
we
are
doing
is
we
are
using
the
absolute
locations
because
the
absolute
locations
are
already
a
search
with
integrity,
checks.
B
C
C
B
C
I
see
so
we're
in
we're
in
a
program,
that's
manipulating
policy,
so
the
things
live
in
the
policy
directory,
not
that
it
is
a
directory
full
of
policies,
because
this
says
this.
This
whole
thing
here
is
describing
policy.
It's
in
a
file
called
policy,
die,
Jason
and
so
I
was
thinking
well
yeah.
What
I
care
about
the
policy
of
the
file
I
care
about
the
file
itself?
A
And,
and
and
the
location
in
not
the
location,
as
you
said
is
this
is
this
is
where
I
think
I
was
confused.
Is
the
location
you
said
is
relative
to
the
policy
file
and
since,
and
that
means
you're
talking
about
you-
know
the
local
copy
that
you've
obtained
from
somewhere.
You
still
don't
care
where
you
obtained
it
you're,
where
you've
obtained
it
from
you're.
Just
doing
you
know,
relative
naming
within
your
local
copy.
B
A
So
what
about
so
the
the
manifests
that
that
we've
played
with
and
discussed
in
these
meetings
and
ones
that
come
harvested
for
meta
mask
process?
If
I
do
this
rewiring
of
modules,
two
modules
and
once
again
with
true
for
just
give
me
these
the
the
unmapped
one,
we
also
do
a
real
start.
What
what
what
global
variables
should
be
in
scope,
because
this
one
does
this
pile
policy
file
capture
that
should
it.
B
D
A
B
B
B
A
Yeah
I
mean
the
we
mentioned,
how
I
see
the
the
purpose
of
the
policy
files
as
relates
to
user
land.
Loaders
I'd
say
that
it
sounds
right
to
you
guys,
which
is
simple.
Things
should
be
simple.
Complex
things
should
be
possible
that
the
user
lands,
loader
is
sort
of
the
ultimate
complex
thing
should
be
possible,
but
much
of
what
you
would
Express
with
user
land
loaders.
That
is
simple.
A
B
B
A
B
A
B
B
A
B
B
A
So
some
design
where
there
is
an
ability
to
express
the
human
generated
overrides
in
a
separable
manner,
so
that
there
so
they
so
they
contain.
So
they
generally
continue
to
apply
after
regenerating
the
thing
that
they're
advising
that
there
that
there
is
a
difference
from
or
something
I'm,
not
I'm,
not
praying
as
well.
But
I
think
you
understand
what
I
mean.
Yes,.
B
So
you
don't
want
to
lose
your
modifications,
even
after
generating
stuff
I.
Don't
think
that's
within
scope
of
note
itself,
but
we
could
certainly
add
some
dipping
utils.
That
would
allow
for
something
like
that
where
you
can
essentially
create
patches.
So
you
apply
to
generate
itself
for
tofu
itself.
That
seems
much
easier
to
do
it
down
there
than
to
do
it
up
at
the
runtime.
B
C
Think
we'll
typically
describe
stuff
which
is
external
to
that
world
can
be,
can
be,
can
be
folded
in
as
part
of
the
build
process,
and
those
would
be
described
in
some
some
separate
artifact
of
some
kind,
but
would
be
that
artifact
would
be
incorporated
into
the
generator
policy
by
whatever
your
built-in
packaging
tools
are.
Yes,.
B
A
Yeah
Kumada
did
do
you
have
any
thoughts
based
on
your
specify
work
about
that
separation
between
the
automatic
generation
and
the
human?
The
separate
expression
of
the
human
override.
D
A
A
And
it
generates
this
manifest
or
this
news,
but
we're
now
calling
a
policy
file,
but
then
there's
human
generated
overrides
where
you're
you
know,
you're
you're
deciding
to
wire
something
through
an
attenuator
or
whatever,
and
you
want
to
be
able
to
maintain
the
manual
override
decisions
across
the
regeneration
of
the
tofu
information.
Yeah.
D
D
Can
mean
by
a
deep
merge
yeah,
that's
a
good
question.
That
part
needs
to
be
like
clear
and
straightforward,
which
is
maybe
a
little
tricky,
but
if
I
want
to
be
able
to
say
like
actually
for
this
global,
you
know
use
this
attenuated
global
or
something
like
that
without
having,
without
accidentally
destroying
all
the
existing
other
global
configuration
for
that.
So
like
I,
don't
want
to
just
replace
the
Global's
configuration
object
with
that
one
global
I'm
setting.
D
So
how
the
best
way
to
do
that
is
not
clear
like
should
you
merge
those
two
objects
and
then
and
yeah
I
mean
that's.
The
way
I
would
go,
is
merging
the
two
objects,
but
in
some
cases
you're
gonna
want
to
overwrite
them
and
I.
Guess
in
the
case
that
you
want
to
overwrite
them,
you
just
need
to
explicitly
set
them
to
null
or
false
or
whatever.
C
Declaration,
that's
well
when
I
say
FS
I
mean
the
file
with
the
following
hash.
What
you
mean
is
when
I'm
yeah
FS
I
mean
that
file
over
there,
that
I'm
building
from
and
and
and
that
would
get
hashed
and
put
in
there
by
the
tool
so
that
when
you,
when
you
have
to
make
a
change
to
your
attenuation
code,
because
you're
still
developing
it,
that
will
just
get
automatically
swept
up
in
your
next
bill.
D
B
D
D
Yeah
because
I
expect
humans
to
be
able
to
audit
both
the
automatically
generated
config
file
for
specified
and
the
the
human
overrides,
so
I
mean
yeah,
like
I
already
demonstrated
that
I
mean
I
had
some
visualization
tools
to
help
with
that.
But
I'm
expecting
you
know
these
to
be
JSON
files
are
human
readable
and
that
you
will
include
them
in
pull
requests
and
you'll
review
the
diffs
and,
and
that
sort
of
thing
so.
B
D
B
A
Okay,
yeah
the
the
the
thing
about
the
for
the
interent
for
the
developer,
interaction
to
think
about
least
authority
issues
and
all
these
policy
issues-
and
you
know,
caching,
malicious
upgrades
I-
think
that
the
figuring
out
how
to
abstract
this
to
be
package
oriented
for
the
normal
case
is
actually
quite
important,
because
the
internals
of
the
package
is
somebody
else's
concern.
It's
not
the
concern.
B
That
might
not
be
true,
so
if
we
take
a
look
at
the
VIN
stream,
we
actually
had
a
package
modify
and
other
packages
internals,
and
so
that
was
part
of
the
problem.
Is
you
developed
a
prototype
attack
from
doing
that?
So
even
then
you
wanted
to
verify
that
the
method
I
forget
the
name
of
it.
There
was
some
kind
of
cipher
was
not
modified,
but.
A
That
is
still
in
Turpan.
One
package
depends
on
another
I'm
still
considering
that
to
be,
you
know,
we're
flatten
it,
because,
because
the
packages
are
a
graft,
a
lot
of
tree
that
that
the
policy
file
would
name
all
the
dependent
packages
as
well
and
flatten
that
out
eventually.
B
B
A
So
having
the
the
you
know,
the
integrity
ultimately
be
about
the
particular
bits,
but
have
the
the
powering
the
policy
awareness,
the
the
policy
decisions
that
some
human
programmer
is
going
to
make
be
in
terms
of
an
abstraction
that
a
human
programmer
can
think
about
in
a
stable
way
over
time.
I
think
I
think
we
need
to
find
a
way
for
that
to
coexist.
We.
B
A
Ok,
ok,
I
think
that's
I
think
that's
a
very
promising
direction
that
that
would
actually
kill
two
birds
with
one
stone
or
we
really
need
another
metaphor
for
that
concept.
A
B
A
Because
that
that
way,
the
the
awareness
of
packages
is
only
in
translating
from
the
tofu
output
to
the
policy
file
used
for
enforcement,
both
of
which
are
expressed
at
the
module
level
and
can
be
the
files
that
were
looking
on
her
and
it's
just
it's
just
the
transformer
tool
that
needs
to
understand
this
other
expression
of
human
policy.
Ironically,
the
term
policy.
B
B
So
for
media
mesh
size,
app,
you're,
looking
at
five
minutes,
easy
for
a
fresh
generation
of
these
policies
just
on
integrity,
and
so
that's
not
great,
but
we
can
do
some
caching
and
bring
it
down
to
you
know
five
ten
seconds
on
secondary
runs,
which
I
think
is
fine
for
actual
loading
performance.
There's
an
oddity
here
which
makes
sense
once
you
think
about
it.
A
A
B
Some
stuff
in
the
home
directory
it
crawls
up
your
directory
path.
It
searches
a
bunch
of
different
file,
extensions,
it
checks
for
so
like
okay,
if
it's
a
built
in
just
stop
there,
otherwise
it
tries
to
load.
It
is
a
file
and
it's
gonna
load
it
a
bunch
of
different
extensions.
This
is
actually
false,
just
because
simplicity
and
some
bugs
that
we
can't
get
rid
of
then
it
will
try
to
load
it
into
the
directory.
If
the
directory
has
a
package.json
it'll
do
something
if
it
has
an
index
file
it'll
do
something
else.
B
B
D
A
B
A
A
B
Yes,
so
the
other
things
we
can
do
is
we
could
logging
for
those
throughs
and
we
because
of
the
search
paths.
It
would
be
prohibitively
hard
to
put
all
dependencies
specifiers
on
the
left-hand
side
here
and
so
I
suspect.
We
may
have
to
tweak
our
policies
in
some
way
that
allow
for
scopes,
kind
of
like
packages,
level
resolution
rather
than
direct
one
specifier
to
one
location
mapping.
A
So
is
all
this
being
run?
What
is
the
status
of
frozen,
primordial,
x'
and
node
right
now,.
A
So
I
saw
a
PR
from
guy
Bedford
that
was
doing
the
access
er
trick
for
suppressing
the
override
mistake
and
for
masking
the
override
mistake
that
was
basically
doing
it.
If
I
recall
correctly,
he
was
Bedford's.
Pr
was
doing
it
over
all
of
the
primordial
methods
that
are
on
prototypes
for
their
methods,
not
on
prototypes,
even
though
that's
a
theory,
a
problem,
but
practically
it's
not
a
problem.
Salesforce
found
that
they
only
needed
to
do
it
practically
on
five
of
the
primordial
prototypes
object,
function,
array,
I,
don't
remember
what
else:
yeah
yeah
yeah
yeah
yeah.
A
A
A
B
A
D
A
D
D
That
you
should
the
creator
of
the
source
or
whoever
has
the
direct
reference.
This
source
should
still
be
able
to
make
modifications
to
that
source,
and
you
should
be
able
to
see
those
modifications
when
you
have
the
view
and
the
person
that
has
the
view
should
be
able
to
to
make
rights
that
shadow,
but
don't
affect
the
source.
A
B
D
The
term
source
and
view
to
refer
to
the
thing
that
we're
sort
of
putting
this
proxy
around
again
and
and
then
those
actual
proxies
and
there's
probably
better
terms
to
use
here.
But
for
now
what
I
chose
source
of
views?
Okay,
the
the
views
should
be
able
to
do
local
rights,
the
rights
that
shadow
the
source,
but
not
affect
the
source,
okay
and
and
then
I
guess
to
preserve
some
reference
structure
like
circular
references
and
so
I
have
I.
Have
this
working
and
I'm
fairly
happy
with
it?
D
You,
let's
see
I'll,
go
to
this
this
one.
So
it
is
like
this
copy,
creating
thing
I'm
calling
copy
copies,
not
the
best
term,
it's
more
like
that
view
or
proxy
or
something,
and
so
once
you
do
that
you
can
create
you
get
a
copy,
creating
function
and
it
there's
sort
of
like
a
space
on
which
you
get
unique,
copies
or
there's
the
deep
duplication
of
copies
via
a
weak
map.
That's
happening
inside
that
space,
and
so,
if
I
have
some
object
and
I
create
a
copy,
then
it's
different
than
the
original.
D
A
D
Yes
and
I
have
I,
have
a
difference,
comparison
to
membranes
here,
I'm
great
so
so
I
would
say
yeah
I
kind
of
looking
at
prior
art
and
see
if
it
solve
a
use
case
and
there's
like
a
mirage
es
or
I
murder,
Roberts,
Manson,
there's
muta
and
then
si
es
memory,
okay.
So
for
the
membranes,
this
is
neat,
so
one
member
does
like
bi-directional
reference
wrapping
yeah.
D
D
Yeah,
yes,
memory
also
supports
verification.
You
don't
really
need
that
because
we're
just
your
we're
just
trying
to
make
you
know
add
some
defense
to
the
module
exports.
So
I
didn't
see
that
necessary
for
my
case,
but
that's
fine,
but
the
problem
seemed
to
support
shadowing
like
on
the
view
or
on
the
copy
making
rights
to
that
that
don't
affect
the
original.
Oh
no.
A
What
kind
of
distortions
can
you
express,
but
a
the
local
only
right
is
one
of
the
distortions
and
in
particular
that
I
know
it
supports,
because
that's
actually
what
he's
doing
for
the
motivating
Dom
case,
where
two
different
views
of
the
same
Dom
know,
let's
say:
Alice
and
Bob
have
distinct
views
of
the
same
underlying
Dom
tree
that
when
Alice
adds
an
expanded
property,
just
add
some
non-standard
property
to
a
Dom
node
through
the
view.
She
only
sees
it
through
review,
it's
not
on
the
real
Dom
node
and
it's
not
on
Bob's
view.
A
Right
and
ideally,
even
revocation
would
be
expressed
as
a
distortion
sort
of
the
ideal.
The
ideal
form
is
that
the
is
that
you
have
a
membrane,
creating
abstraction
that
in
which,
in
the
absence
of
distortion,
it's
as
transparent
as
possible,
and
then
every
deviation
from
transparency
is
by
virtue
of
an
added
distortion,
and
revocation
itself
is
a
is
a
is
a
deviation
from
full
transparency.
So
ideally,
it
should
be
a
distortion,
I
think
replication,
probably
from
an
engineering
point
of
view.
A
D
A
Should
yeah?
That's
that
that's
the
goal!
If
you
find
that
there's
a
distortion
that
you
need
that
you
cannot
express
in
terms
of
that
system
for
expressing
distortions,
then
that
would
definitely
be
an
issue
to
be
raised
where
we
should
take
a
look
at
the
expressiveness
of
the
distortion
mechanism
and.
A
The
in
the
absence
of
distortion,
there's
no
white
listing
needed
everything
is
just
as
transparent
as
possible.
All
right
you
can.
You
should
be
able
to
do
a
distortion
that
brings
about
a
white
listing
policy
that
it
only
shows
things
that
are
that
are
white
listed
to
be
shown,
but
that
would
itself,
but
any
kind
of
white
listing
policy
like
that
would
itself
be
a
distortion.
D
A
D
D
Well,
I'll
get
there
in
a
second.
So
so
that's
that's
the
goal
of
it.
So
currently,
when
you
call
methods
or
getters
and
setters
that
are
on
the
source,
then
they're
they're
called
with
with
the
view
as
this
and
then
I
feel
like
I'm,
doing
a
lot
of
sort
of
like
hacks
to
work
around
proxy
invariants
and
I.
Don't
really
I,
don't
know
why
proxy
and
variants
exist.
Maybe
I
need
to
read
yeah.
A
A
It
took
us
a
while
to
understand
what
the
how
to
think
about
them.
Well,
which
is
when,
when
a
property
descriptor
says
that
a
property
is
configurable,
that's
not
making
any
kind
of
commitment
with
regard
to
what
what
then
happens
in
the
future.
When
a
property
descriptor
says
that
a
property
is
not
configurable,
that's
making
a
stability
commitment
and
it's
a
stability
commitment
that
that
the
the
that
others
should
be
able
to
rely
on
without
having
to
trust
the
object
that
made
the
commitment
because
you're
not
asking
the
object.
A
Historically,
we
were
faced
with
this
chaos
of
host
objects,
Dom
objects,
for
example,
that
we're
just
none
of
the
rules
applied
to
it,
but
there
is
also
historically
no
explicit
plot
property
descriptors.
So
when
we
created
the
system
of
property
descriptors,
we
decided
that
it's
always
legal
for
an
object
to
always
claim
that
a
property
is
configurable
and
then
not
allow
it
to
be
configured
because
saying
it's
configurable
is
not
a
commitment
to
to
enabling
it
to
be
configured.
It's
only.
A
The
other
way
around
saying
it's
not
configurable
is
a
commitment
that
it's
stable,
so
even
a
host
object.
If
it
ever
says
that
a
property
of
it
is
non
configurable,
it
must
only
say
that
if
it's
then
permanently
committed
never
to
changing
the
stability,
you
know
never
changing
the
things
that
non
configurable
guarantees
is
stable,
so
that
so
that's
in
general,
the
philosophy
behind
all
of
the
invariants
and.
A
C
D
Working
around
that
because,
for
example,
I
want
you
to
be
able
to
modify
the
the
prototype
of
a
copy
like
here
at
class,
a
we'd
create
a
copy
of
it,
and
it's
B
I
want
you
to
be
able
to
modify
the
prototype
without
affecting
a
and
so
I
had
to
be
a
little
clever
as
to
what
the
actual
proxy
target
was
in
order
to
be
able
to
replace
its
prototype,
which
is
non
configurable.
In
the
case
of
the
case
of
the
class
syntax
right.
A
Right
right,
so
so
in
the
case
of
the
class
syntax,
it's
still
writable.
Is
it
no?
No,
maybe
it's
not
writable.
Is
it
yeah?
That's
right!
No!
That's
right!
That's
right!
I
think
the
class
commits
you
to
the
prototype,
I
think
you're
right
about
that.
It's
the
constructor.
That's
read
the
one
that
you
can
continue
to
change,
but
the
prototype
I
think
is
committed
in
class,
syntax
and
I.
Think
for
the
class
syntax.
A
That
makes
some
sense
because
the
prototype
is
an
inherent
part
of
meaning
of
the
class,
but
it's
not
really
something
people
think
of
as
a
separate
object.
So
if
the
same
class
object,
if
it
had
a
different
dot
prototype,
then
it
would
really,
you
know
not
mean
the
same
class
whereas
you
can
always.
If
you
want
something
like
a
class
in
which
you
can
change
the
prototype,
you
do
that
by
explicitly
just
using
declared
functions
now
going
back
to
the
your
issue
about
proxies.
A
So
you
got
that
exactly
right.
If
the
in
order
to
have
a
proxy
for
a
class
in
which
the
proxy
allows
the
prototype
property
to
be
changed,
the
proxy
has
to
be
careful
that
the
shadow
target,
the
target
that
the
proxy
knows
about
directly,
that
it
not
have
that.
You
know
that
that
that
target
either
not
have
a
prototype
property
or
if
it
haven't
prototype
property,
that
the
prototype
property
is
either
configurable
or
writable.
C
There's
something
yeah
there's
something
I
didn't
follow,
they're
going
back
up
to
up
above
where
you
had
your
your
example
yeah
that
which
is,
if
I
understand
what
Mark
just
said
correctly,
when
you've
made
your
your
your
shadow
copy
of
a
into
B.
Well,
a
was
a
class
classes,
have
a
certain
semantics,
one
of
which
is
you
you,
you
can't
fiddle
with
their
prototype
after
the
fact,
and
therefore
in
making
that
copy.
If,
if
you
can
make
that
modification
on
the
copy,
then
it's
it's
not
just
that
you're
doing
a
shadow
right
thing!
C
A
Well,
so
the
membranes
will,
of
course,
shadow
everything,
but
the
membranes
will
will
make
the
same
guarantee
but
make
the
same
stability
guarantees
for
the
shadow
that
that
you
know
so
that
they're,
basically
passing
whatever
in
whatever
way
the
original
guaranteed
stability.
The
undisturbed
membrane
will
guarantee
the
same
stability
for
for
the
the
membrane
forms.
Okay,.
D
A
D
A
A
D
D
Okay,
so
the
next
part
is
yeah,
so
currently
I'm,
seeing
some
failures
in
Quetta
on
dealing
with
typed
arrays,
because
I'm
also
like
proxying
them
and
then
calling
their
getters
and
setters
with
the
proxy
as
the
this
and
I
got
this
incompatible
receiver
on
the
type
of
raised
of
get
your
the
getter
for
lengths
that
much
yet.
But
this
is
a
seems
to
be
a
problem,
so
maybe
I
need
to
like
detect
typed
arrays
and
then
clone
them
instead
of
proxying
them.
A
You
should
not
need
to
if
you're
doing
this
and
then
so
membranes
I,
don't
think
need
to
so
it
yeah.
This
depends
on
whether
you're
crossing
streams,
whether
you're,
whether
you're,
if
you're,
applying
the
genuine
typed
array,
dot
prototype
dot
length
not
to
an
instance
of
typed
array
but
to
a
proxy
for
an
instance
of
typed
array,
then
I
would
expect
this
to
fail.
A
That's
probably
what
you're
seeing
yeah,
but
if
you're
doing
it
through
more
of
a
membrane
mechanism,
then,
when
you
ask
a
proxy
for
a
typed
array
for
the
Lent,
then
the
length
request
should
go
back
through
the
proxy
and
then
the
actual
length
should
should
only
happen
on
the
real
one,
not
on
the
proxy.
So.
D
A
So
so
does
anything
break
if
you
do
the
other
D,
if
you,
if
you
here's
okay,
let
me
make
sure
that
I
understand
you've
got
you
have
for
the
two
sides
of
your
membrane.
You
have
names
for
them,
I
suppose
view
and
source
those
really.
Those
are
the
names
okay.
So
if,
on
the
view
side,
you
have
a
proxy
for
a
typed
array
and
you
do
our
jar
and
you
do
a
dot
length
on
it
and
dot
lent
is
a
accessor
property.
Then
it
faults
on
the
proxy
for
type
array.
A
It
does
the
lookup
and
me
to
Fulton
to
handler
the
handler
says
that
the
receiver
is
the
proxy
and
then
the
what
the
membrane
would
do
is
it
would
translate
the
receiver
from
the
view
side
to
the
source
side
and
the
object.
The
cars
on
the
source
side
to
the
proxy
receiver
would
be
the
original
object.
So
that
would
be
the
thing
that
would
be
yes
and
through
as
this
finding
put
together.
D
D
D
So
that
especially
makes
sense
in
the
membrane
mental
model
and
they're,
not
here
I,
guess
I'm,
trying
to
like
just
like
lazily
make
fresh
instantiation
of
modules
without
actually
like
doing
a
full
reinstallation
module.
And
so
that's
why
I
was
thinking.
The
getter
should
affect
the
value
as
opposed
to
the
source,
but
maybe
it's
just
a
too
much
of
a
mess
to
try
to.
D
D
A
A
This
is
interesting.
I've.
Never
thought
about.
Thought
tried
to
think
this
through
in
terms
of
proxies
the
X
s
embedded
JavaScript
engine
the
JavaScript
engine
from
multiple
model.
Folks.
That
actually
does
this
inside
their
virtual
machine
in
order
to
enable
primordial
mutable
objects
or
not
just
not
just
primordial
ones,
but
application.
A
Mutable
objects
to
have
their
initial
state
be
Rama
Bowl.
Is
they
actually
have
a
inside
their
virtual
machine
for
their
bookkeeping
on
what
the
state
of
an
object
is?
They
refer
to
the
Rama
balagia
n--
from
a
pointer
in
a
table
in
RAM,
so
that
the
pointer
can
be
changed
to
point
at
a
difference
record
that
masks
the
what's
what's
in
wrong.
A
So
in
that
case,
basically
for
every
original
object
every
source
object.
Then,
let's
ignore
the
lazy
creation
for
every
special
object.
We
have
a
corresponding
proxy
and
the
proxy
has
a
shadow
target
and
the
shadow
target.
The
Metis
we'll
just
use
the
shadow
target
for
the
mutations,
so
the
handler
role
you
know
we'll
always
have
access
to
the
real
target.
The
phrasing
a
target,
as
well
as
the
shadow
target,
the
shadow
target.
A
If
you're
just
trying
to
emulate
everything,
is
mutable
all
the
comics
say,
then
the
shadow
target
nothing
would
ever
get
frozen
or
non
configurable
over
there.
You
want
to
maintain
everything,
maximally
mutable
and
then,
when
you
execute
a
original
getter,
then
you
would
do
exactly
what
you
stated,
which
is
you
would
execute
the
getter
with
the
proxy,
not
the
original
object
as
the
this
binding,
and
then
you
would
run
into
the
problem.
A
A
D
A
Right
right
right,
it's
the
FDA
written!
Yes,
that's
right!
If
the,
if
the,
if
the
original
graph
is,
has
functions
that
closed
over
state,
then
clearly
there's
nothing.
The
proxy
can
do
so
that
it
can
both
use
the
function
and
not
have
the
function,
modify
the
lexical
state
that
it
captured.
Maybe
just
no
way
to
do
that.
A
D
A
So
among
the
primordial,
the
JavaScript
primordial,
first
of
all,
it's
very
very
common
with
host
objects.
The
host
objects
are
just
this
completely
separate
category
of
things
for
JavaScript
standard
objects.
The
keyword
you
want
to
look
is
exotic,
and
you
also
just
want
to
look
for
definitions
of
internal
slots,
but
but
altogether,
there's
not
a
lot
of
them.
A
A
One
of
the
clearer
examples,
the
example
I
always
come
back
come
back
to
this
is
just
such
a
clear
example
is
date.
Date
actually
is
is
actually
a
does
not
represent
a
particular
historical
defect.
It
represents
it's
it's
a
it's
a
new
representation
of
some
dates
which
data
represents,
you
can
mutate
and
that
current
date
that
it
represents
was
kept
in
an
internal
slot
and
the
methods.
The
built-in
methods
on
date,
dot
prototype
can
access
that
internal
slot
directly.
A
A
D
A
A
D
A
A
D
D
C
Thing
that
immediately
popped
into
my
head,
when
you
and
you
described
this
last
week-
and
you
said
it
wasn't-
really
copying
it's
more
shadowing
and
my
first
thought
was
shadow
on
modify
mmm-hmm
yeah,
it's
some
tau,
some
toasted
ridicule.
It's
a
science
fiction.
Writer
doesn't!
This
is
really
just
this
one
of
those.
You
know
your
brain
policies,
associations
as
a
Cara
was
a
programmer.
I
worked
with
it,
hey
pal,
who
is
very
interested
in
actor,
computation.
A
A
I'm
not
sure,
with
the
make
of
that
analogy,
but
in
a
case
I
mean
the
the
syntax
is
important.
Yeah
I
don't
want
to
bike
shed
on
specifically
what
the
syntax
is,
but
arguing
about
whether
it
justifies
syntactic
support
is
actually
an
argument
worth
having
yet
because
I
am
very,
very
shy
about
proposing
syntax
I'm
generally,
the
most
vocal
one
on
the
committee
at
killing.
Other
people
attempts
to
extend
the
set
tax
and
but
on
this
one,
having
tried
to
do
this
for
many
years
in
different
ways
without
syntax
I
do
feel
like
this.
B
A
No
I
have
not
I,
have
not
the
I
think
the
Waldemar,
the
Waldemar
thing
would
really
becomes
crucial
when
we
try
to
pin
down
what
the
concrete
syntax
is.
Okay,
because
you
know
Walden
I
basically
has
this
incredible
ability
to.
A
Spot
syntactic
ambiguities,
including
those
that
are
caused
by
semicolon
insertion.
The
kind
of
thing
that
you
know
all
of
the
rest
of
us
would
have
to
you
know,
turn
to
an
automatic
tool
to
do
what
we
can't
possib,
what
a
human
being
can't
possibly
simulate
in
their
head.
Waldemar
will
just
tell
you
what
the
ambiguity
is.
It's
just
amazing,
yeah.
C
C
C
D
A
C
A
A
C
A
C
It's
probably
not
the
most
useful
in
this
conversation,
which
is
that
which
is
when
promises
were
put
into
JavaScript.
Initially,
the
work
was
not
completed,
and
this
is
simply
completing
the
work
that
was
which
was
hinted
at
you
know
that
was
foreshadowed.
You
know
for
tell
that's
foretold
in
the
prophecies,
but
never
realised,
and
now
we
are,
we
are
bringing
it
about
so.
A
C
C
They
were
tremendously
excited
by
this,
but
part
of
that
is
because
now
Evernote
is
you
know,
by
virtue
of
me
being
co-champion
putting
it's.
You
know
it's
name
behind
this.
They
feel
a
sense
of
ownership
which
actually
it's
very
cool
and
very
encouraging,
but
I've
also
had
the
pushback
from
from
other
folks,
where.
C
C
I
totally
agree
with
you
there
and
and
I
would
consider
that
to
be
a
definitive
argument,
but
just
even
looking
at
some
of
the
tone
of
some
of
the
a
couple
of
the
people
who
posted
issues
on
our
github
repository
for
the
proposal
that
reflected
a
degree
of
not
understanding
and
that
I
found
very,
very
frustrating
and
gonna
kind
of
had
to
forcibly
restrain
myself
from
saying
you
know
in
politic
things.
This
is
like
you
know,
you
know,
you
know
they
know
not
where
if
they
speak
really
rather
than
oh,
you
ignorant
fool.
A
C
A
Q&Amp;Q
connection
queue
is
very
much
the
you
know
the
most
important
proceeding
library
that
led
to
the
promises
that
we
standardized
Magna
scripts
x:q
connection
is
the
extension
of
it
over
the
network
with
an
eventual
send
operator
and
the
methods
on
promise
dot
prototype
that
will
that
we're
proposing
to
add
the
promise
not
ratified.
These
are
basically
just
proposing
to
continue
to
adopt
more
cue
writing
to
promise
stop
prototype
the
extension.
A
The
extension
point
is
not
quite
the
same
as
the
hue
extension
point,
and
that's
because
we,
you
know
we
figured
some
things
out
since
we
did
the
QED
thing.
I
think
our
extension
point
is
better
yeah,
but
the
main
thing
is
that
cue
connection
in
deployment
rapidly
became
impractical
as
a
way
to
do
distributed
objects
because
of
the
lack
of
weak
references
that
the
import/export
tables
just
grew
without
bound
because
you
couldn't
drop
anything
right.
C
I
think
I
think
I
think,
if
not
meeting
with
that,
certainly
front-loading
that
as
part
of
the
pitch
would
be
very
helpful
because
having
a
clean
answer
to
you
know
why
now
is
good
and
I
I.
Think
the
the
historical
connection
to
cue
is
also
also
helpful.
I
mean
one
of
the
things
that
I
really
liked
about
the.
C
A
A
C
Well,
that's
interesting
so
then,
then
I
suppose
over
the
weekend
and
we
should
just
be
sort
of
refining
our
our
pitch
sort
of
our,
not
not
not
the
formal
pitch
which
you,
which
will
you
all
know,
not
be
refining
but
sort
of
our.
You
know
our
set
of
thought-out
responses
to
things
people
might
say
in
discussion.
C
A
A
A
A
A
C
Yes,
I
think
another
thing
that-
and
this
is
this
is
this-
is
I-
think
a
more
abstract
and
harder
argument
to
make.
But
in
the
context
well,
in
the
traditional
web
world,
you
had
the
browser
and
you
have
the
web
server
and
they're
in
a
just
a
straight-up,
one-on-one
dialogue
and
in
a
lot
of
the
interesting
systems
and
applications
that
I've
built.
You
have.
C
Multiple
parties,
you
know
in
even
if
it's
just
a
planet,
server
its
end
clients
and
a
server
jointly
engaging
in
some
kind
of
of
mutual
interaction
and
therefore
any
anything
which
is
is
synchronous
in
the
sense
of
I,
send
a
message
to
the
server
and
and
then
I'm
blocked
until
I
get
something
back
means
that
I
am
NOT.
I
am
now
not
participating
in
this.
C
This
n
way
conversation
until
that
happens,
and
that
would
be
fine
if
the
only
thing
I'm
doing
is
waiting
for
the
server
to
say
something,
but
I'm
also
waiting
for
all
of
the
other
parties
in
the
interaction
to
say
something
as
well,
and
even
though
the
server
is
the
connection
is
the
medium
through
which
I
am
interacting
with
all
of
those
other
people.
All
of
that
stuff
is
all
of
these
kind
of
ongoing
things
are
necessarily
interleaved
and.
C
And
so
the
minute
you
get
into
a
world
where
you
have
an
N
way
interaction
rather
than
a
two-way
interaction.
You
you
immediately
have
to
start
confronting
all
of
this.
This
interleaving
and-
and-
and
this
is
a
this-
is
a
particularly
good
set
of
abstractions
for
doing
that.
But
that's
that's
a
really
that's
one
of
those
you
kind
of
you
kind
of
already
have
to
have
the
problem
before
you
can
before
you
can
understand
it
kinds
of
things:
yep,
yes,
I.
C
A
Answers
so
go
ahead,
yeah
yeah
by
the
way,
Michael
I
know
you
can't
intend
in
person
generally
these
meetings.
I.
Think
always
these
days,
these
meetings
enable
people
to
attend
remotely
and
via
a
goreck.
You
you
do
have
full
rights
to
attend.
Can
you
attend
remotely
I,
know:
okay,
great
yeah
I'm,
not
sure
what
I
need
to
find
out
to
be
able
to
do
that,
but
yeah
guys,
good
I'll
point
you
to
something.