I recently came across a blog post by Thomas Leonard entitled Lambda Capabilities. This provides an interesting framing of the well-established security concept of capabilities (broadly, explicit, fine-grained authorisation as opposed to policy-based permission) in terms of functional programming. This essentially boils down to the observation that, if you don’t have global variables (a good idea for a variety of reasons), and stick to pure functions, the formal parameters can serve as capabilities — a function can only access the things that you pass in to it. For example, if I only pass in the
htdocs directory object, the function can’t access files elsewhere1.
AMD modules have since been superseded by standardised
An even more relevant comparison is with WebAssembly, which does not start with the same global baggage, and has a sandboxing model that explicitly prevents cross-function leaking. A WebAssembly runtime built around this model of capabilities seems like a very interesting proposition.