Property and External Interface Policies

The per-property and per-external-interface policies were easy to implement. At the point in the code where a get- or set-property function is implemented, the modified code checks whether there is a corresponding property (external interface) policy in effect, and, if so, whether the requested access violates it (for example, attempting to write a read-only property). Because this check happens frequently, performance optimizations should be considered, such as caching previous results of checks or building a hash table that can be efficiently queried to check whether an object's access is affected by an existing policy. A vast majority of objects won't be affected since a typical policy only covers a few security-sensitive objects.

On a violation, the implementation checks the continuation setting for the relevant security policy and either aborts interpretation or continues without granting access. If there is no violation, interpretation proceeds normally.

Access to the new document.ACL property is a special case. We unconditionally restrict access so only the script that created the document has permission to read or write document.ACL. Otherwise a rogue script could attempt to change document.ACL and gain access to the objects that ACLs protect.