Okay, so this might be a bit of a ramble. Hi, I'm one of the developers of Monte https://monte.rtfd.org/, a new programming language based on E. E http://erights.org/ is a language from the 90s. Crockford worked on E. E's TermL mini-language became JSON. Another person who worked on E was Mark Miller. Miller's thesis project was formalizing and describing systems built with E. Crockford and Miller both are part of the committees that steer JS.
Now, to bring it all together: Object capability security is a security discipline based on the principle of least authority and perfect encapsulation. It allows us to build secure distributed computations with pretty good security properties; wf-stringe can prove that certain data cannot be exfiltrated, that certain I/O cannot happen, and that certain computations are arbitrarily safe to evaluate. It's not perfect, but it's a massive improvement on the state of things.
E and Monte, as well as a few other languages like Caja, Pony, and Waterken, are object-capability languages. Just like languages without manual memory management cannot misbehave in certain ways, these languages also promise that they cannot fail in certain desirable security-related ways.
Crockford, Miller, and others have been deliberately steering JS towards more capability-safe constructions. The object model has been tightened up, and tools like weakmaps, promises, and "template strings" (we call them quasiliterals in the literature) have been added. However, JS is still defined by its weak points, and those points are weak indeed.
Obviously, my bias is towards Monte. It's my preferred language and I want it to be popular. But, more importantly, I want the ideas that went into Monte to be popular. So, in that spirit, I'm going to give you a short list of questions. I want you to think, "How can I do that in my favorite language? Why would I want it?" Monte is meant to be the next Blub http://wiki.c2.com/?BlubParadox, the next language that is mediocre but built on a good foundation, and part of that is trying to see how Monte answers questions like:
- The encapsulation problem: How do I produce an object which perfectly encapsulates a value; i.e. the object refers to a value but referring to the object is not sufficient to gain reference to the value?
- The concurrency problem: How do I run two interacting plans of code at once?
- The privacy problem: How do I prove, (in)formally, that a value cannot be exfiltrated from my program except through designated channels?
- The confused deputy problem: What ambient authority is assigned to a "deputy", a program which can be fooled into misusing that authority?