ajvincent
commented
5 years ago At first glance, I think this may be partly solved by the interposing distortions I describe in #190. I say partly because there's the case you raise here: where Alice and Bob share a subset of distortions which is not the whole set for either of them. The interposing distortions in #190 make that subset equal to Alice's set of distortions.
That said, we may be able to implement what you describe here by both Alice and Bob having an interposing distortion to a distinct membrane proxy in its own object graph which implements the shared subset of distortions.
I will say I'm nowhere near ready to implement such a set-up, but the current es-membrane's ChainHandler API may allow you or someone else to prototype it if desired.
Consider the situation in the image below. One could say that Alice’s distortion of the DOM object has a set of restrictions (or constraints) that limit Alice’s knowledge of the DOM’s attributes and possible operations and her ability to perform operations on it, and Bob’s distortion also has a set of restrictions that is potentially different from Alice’s. If Alice sends Bob a request to perform an operation on the DOM through his distortion, he may not be able to complete the request unless he knows about the necessary attributes and operations and can perform the necessary operation. This prompts the notion of a set of restrictions that is common between Alice’s and Bob’s distortions. Having such a notion may be useful in determining which of Alice’s requests to Bob may or should fail. A request may fail in a scenario like the one described above, and a request should fail if Alice is malicious and tries to mount a confused deputy attack (i.e., Alice asks Bob to perform an operation she herself is restricted from performing on the DOM).