Revision 93389 of Securable Modules

  • Revision slug: CommonJS/Modules/Securable_Modules
  • Revision title: Securable Modules
  • Revision id: 93389
  • Created:
  • Creator: Kris.kowal
  • Is current revision? No
  • Comment 1 words added, 26 words removed

Revision Content

This specification addresses how modules should be written in order to be interoperable among a class of module systems that can be both client and server side, secure or insecure, implemented today or supported by future systems with syntax extensions.  These modules are offered privacy of their top scope, facility for importing singleton objects from other modules, and exporting their own API.

  • A module receives a "require" Function.  The "require" function accepts a module identifier.  "require" returns an object containing the exported API of the foreign module.  If there is a dependency cylce, the foreign module may not have finished executing at the time it is required by one of its transitive dependencies; in this case, the object returned by "require" must contain at least the exports that the foreign module has prepared before the call to require that led to the current module's execution.  If the requested module cannot be returned, "require" throws an error.
  • A module receives an "exports" object, synonymous with "this" in the top scope of the module, that it may add its exported API to as it executes.  Properties of "exports" are implicitly available in scope after they've been added.
  • A module is guaranteed that "var" and "function" declarations are not communicated implicitly to other modules.

To be interoperable with secure environments, a module must satisfy the following additional constraints:

  • A module must not have any free variables apart from primordials ("Object", "Array", &c), "require", and "exports".
  • A module must not tamper with (assign to, or assign to members of) the transitive primordials, the "require" object, or any object returned by "require".

This specification leaves the following important points of interoperability unspecified:

  • The domain of module identifiers.
  • Whether relative module identifiers are supported.
  • Whether a PATH is supported by the module loader for resolving module identifiers.
  • The contents of the environment, "require.env".

 

Revision Source

<p>This specification addresses how modules should be written in order to be interoperable among a class of module systems that can be both client and server side, secure or insecure, implemented today or supported by future systems with syntax extensions.  These modules are offered privacy of their top scope, facility for importing singleton objects from other modules, and exporting their own API.</p>
<ul> <li>A module receives a "require" Function.  The "require" function accepts a module identifier.  "require" returns an object containing the exported API of the foreign module.  If there is a dependency cylce, the foreign module may not have finished executing at the time it is required by one of its transitive dependencies; in this case, the object returned by "require" must contain at least the exports that the foreign module has prepared before the call to require that led to the current module's execution.  If the requested module cannot be returned, "require" throws an error.</li> <li>A module receives an "exports" object, synonymous with "this" in the top scope of the module, that it may add its exported API to as it executes.  Properties of "exports" are implicitly available in scope after they've been added.</li> <li>A module is guaranteed that "var" and "function" declarations are not communicated implicitly to other modules.</li>
</ul>
<p>To be interoperable with secure environments, a module must satisfy the following additional constraints:</p>
<ul> <li>A module must not have any free variables apart from primordials ("Object", "Array", &amp;c), "require", and "exports".</li> <li>A module must not tamper with (assign to, or assign to members of) the transitive primordials, the "require" object, or any object returned by "require".</li>
</ul>
<p>This specification leaves the following important points of interoperability unspecified:</p>
<ul> <li>The domain of module identifiers.</li> <li>Whether relative module identifiers are supported.</li> <li>Whether a PATH is supported by the module loader for resolving module identifiers.</li> <li>The contents of the environment, "require.env".</li>
</ul>
<p> </p>
Revert to this revision