Observable Membrane

Creating robust JavaScript code becomes increasingly important as web applications become more sophisticated.

Extremely modular app composed from different servers (not all web code under your control).

For example a collection of non sandboxed plugins to build a business web app using extreme modularity. The dynamic nature of JavaScript code at runtime has always presented challenges for developers. We see this in the NPM ecosystem. Already with disruptive security effects such as the NPM event-stream hack. page Thus Salesforce's package implements an observable membrane in JavaScript using Proxies.

A membrane can be created to control access to a module graph, observe what the other part is attempting to do with the objects that were handed over to them, and even distort the way they see the module graph. page

Here, the function object passed to onclick would be wrapped in another membrane proxy: window.document.onclick = function (event) { console.log(event.target) }

Often we don’t just want to isolate the third-party code from the host, but also isolate the host from the third-party code. A membrane can accomodate this by wrapping the arguments passed to methods on a membraned object:

# Strengths and limitations To really be effective in isolating application sub-components, it is crucial for a membrane to intercept all possible interactions between objects of the sub-components it is trying to isolate. In particular this requires the complete absence of mutable state that is globally visible across sub-components. In languages like JavaScript, this usually requires making sure the global environment is either made immutable or virtualized as well (see Secure ECMAScript for a principled attempt to do this).

One advantage of using membranes to isolate different parts of an application is that the objects on different sides of the membrane still reside in the same address space, and so can still communicate through standard programming abstractions such as method calls or field accesses. They can also share direct pointers to (usually immutable) shared state. This is very different from isolation through process-like abstractions, which introduce separate address spaces. This usually forces the use of inter-process communication (IPC) mechanisms, and usually requires redesigning the APIs of the sub-components of the application. For example, in browsers, another way of isolating different parts of a web application is through Web Workers, which can only interact by asynchronous message passing. page

Authority Attenuation in DOM.

Implementing the above is enabled by object-capabilities gradually introduced to JavaScript by Mark S. Miller's ongoing ES work at TC39.