From:  John Lenz <concavelenz@gmail.com>
Date:  14 Mar 2014 12:49:15 Hong Kong Time
Newsgroup:  news.mozilla.org/mozilla.dev.js-sourcemap
Subject:  

Re: Source maps in ES7?

NNTP-Posting-Host:  63.245.216.66

Two things:

I'm very interested in prior art in this area.  This isn't a new problem we
are trying to solve.

The original source map deliberately ignore these features to all multiple
levels of translation and at a mid level there might not be a JS AST
representation to hook on to.
On Mar 12, 2014 5:31 PM, "Brian Slesinsky"  wrote:

> On Wed, Mar 12, 2014 at 5:04 PM, Fitzgerald, Nick
> wrote:
>
> > On 3/12/14 2:40 PM, Brian Slesinsky wrote:
> > > Interesting. I think the sticky part will be providing the
> > > getLocals(), getDisplayValue(), and eval() functions. I think it's
> > > right that they should be language-specific JavaScript code provided
> > > by the compiler, since this allows a lot of flexibility. But which
> > > JavaScript environment should they run in and what do they have access
> > > to? I think it would have to be a sandbox of some sort and there may
> > > be security implications for curious developers who run untrusted code
> > > with the debugger window open.
> >
> > I was imagining it would run in the frame the debugger was paused in.
> > That way it would have access to whatever JavaScript locals exist.
> >
>
> However that means the debugger's view of things could possibly be broken
> by someone monkey-patching a prototype in the web page itself (or possibly
> by an extension changing something). A debugger or a debugger plugin should
> work even when things have gone very wrong in the program being debugged.
> But it's hard to write code sufficiently paranoid to work in any
> environment.
>
>
> > Perhaps I am missing something, but if you are already running a site's
> > code, why would they need to send the bad stuff via the debugging
> > information?
> >
>
> We would be creating a place to hide JavaScript code where nearly all web
> developers wouldn't suspect it, which sounds like an interesting target for
> a hacker.
>
> It would be a problem if it somehow ran with higher privileges than the
> code being debugged. For example, suppose the debugger called the plugin
> code when it's looking at the local variables of a function that's running
> in an iframe that came from a different origin? Now we have an interesting
> way to get around same-origin restrictions.
>
> So I think running each compiler's custom code as a separate low-privilege
> extension makes the most sense, both to protect it from outside
> interference and to make sure it can't do anything malicious.
>
> - Brian
> _______________________________________________
> dev-js-sourcemap mailing list
> dev-js-sourcemap@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-js-sourcemap
>