A soft isolation boundary, like the browser's sandboxed unique origin iframe or worker, that cannot be prevented from sending whatever bits it wants to any site on the internet. The browser's isolation boundaries do nothing to prevent unconstrained outward (page to site) communication. These boundaries are based on the same origin policy (SOP) which does nothing to impede even two way conversations of arbitrary information between page content and arbitrary collaborator sites on the internet. The SOP only restricts the information that a page can obtain from arbitrary non-collaborative sites outside its own origin, i.e., inward communications from non-collaborating sites.

An isolation boundary that provides full mediation of all attempts by things on either side of the boundary to communicate with each other. If the compartment allows no communication, then the things in the compartment are fully isolated. In an Operating System, a user-mode process is a compartment, in that it can only communicate with things outside itself by making system calls -- giving the OS kernel the opportunity to mediate.

The user-mode subset of a machine instruction set is the subset that does not include any direct abilities to communicate with the outside world. By analogy, user-mode JavaScript is a subset of JavaScript that imposes this same constraint.

The wrapping of legacy objects and services outside a compartment for purposes of presenting some virtualized view of them to the content inside a compartment. For example, the MMU is the means by which an OS kernel tames physical memory in order to give a user-mode process access to a virtualized remapped subset of physical memory.

A compartment implementation that deals with the full richness of web content, including JavaScript, HTML, CSS, and the browser APIs (especially the DOM APIs). The name "Caja" is both a contraction of "Capability JavaScript" and the Spanish word for "box", as in a strongbox for keeping your money in. A strongbox is much stronger than a sandbox.

The component of Caja that tames HTML, CSS, and the browser APIs (especially the DOM APIs). Domado wraps the real ("physical") document DOM tree of a page, to present a virtualized remapped subtree of DOM nodes as a virtual document DOM tree. The name "Domado" is Spanish for tamed.

The Ecma committee that standardizes JavaScript. ES3, ES5, and ES6 are successive versions of the JavaScript standard. ES3 was ratified in 1999, ES5 in 2009, and ES6 in 2015. IE9 is the only ES3 browser still in significant deployment. All other browsers deployed today have full implementations of ES5 and various partial implementations of ES6.

A heavyweight translator from the user-mode subset of ES5 to actual ES3. This translator is heavyweight in three regards:

• It is a Java program that runs on the server side, making it much harder for third parties to create their own deployments, since many of them were not already running Java on the server side.
• Because of all the additional semantic state introduced by ES5, the translation from ES3 to ES5 introduces a significant slowdown. Say between a factor of two and four.
• Because of all the code that needs to be downloaded to set up the ES5/3 runtime and to initialize the environment, ES5/3 adds significant latency to initial page load.

This is what we currently refer to as "SES" or "Secure EcmaScript". We introduce the "5" in order to make further distinctions.

This is the current system for enforcing a user-mode subset of ES5 on an ES5 or ES6 system. It cannot be used on an ES3 system, including IE9. SES5 is a purely client-side library written in ES5 and enforces these restriction without any translation. In comparison with ES5/3:

• SES5 is easy to deploy, because it only a JS library that does not need any server-side component.
• The secured user-mode code runs at essentially full speed because it is the same JavaScript source text that it was.
• The runtime is fairly small, but the time it takes to initialize its runtime environment is still substantial. Thus, SES5 still adds significant latency to initial page load.

See Differences between SES, SES5, and ES5

A proposal for including SES as a standard component of EcmaScript, starting in some version after ES6. By being directly supported by the browser, we can eliminate the remaining overhead of initialization that hurts initial page load. By having it be standard, it will stay current with the rest of JavaScript.

The purpose of this repository is to draft a proposal for Standard SES.