Use distinct Confidences for tame node subtypes.

This ensures that a method for a given subtype of TameNode cannot
be applied to a different one, possibly allowing unexpected access.

Fixes <https://code.google.com/p/google-caja/issues/detail?id=1576>.

Core changes:
* Add method confidence.subtype('name') to generate subtypes. Each
  subtype has its own table but shares the private state record.
  Arguably, they should each have their own record to have their own
  namespace, but that would require major changes to handle the
  distinction and mean many tamed methods would have to perform multiple
  WeakMap lookups for one invocation.
* Introduce subtypes for TameBackedNode, TameElement, TameDocument,
  TameBackedAttributeNode, and all specific element interfaces.
* Confiding in proxies is handled by an init method on the handler ctor
  rather than finishNode.

Support for using the right subtypes:
* Added Props.ampAccessor, like Props.ampGetter plus setter.
* PT.TameMemoIf's tamer, and defineElement's constructor hook, are
  passed the private state record instead of having to do their own
  amplification.

Other changes:
* Remove shorthands nodeAmp and nodeAmplify as they encourage not
  thinking about subtypes, and eventAmp because it was unused.
* Updated foreign node test to expect a misapplied method to throw.

@r5620

[felix8a, 2013-10-01 12:46:53]

lgtm

https://codereview.appspot.com/14156046/diff/1/src/com/google/caja/plugin/dom...
File src/com/google/caja/plugin/domado.js (right):

https://codereview.appspot.com/14156046/diff/1/src/com/google/caja/plugin/dom...
src/com/google/caja/plugin/domado.js:415: function _SubConfidence(typename,
opt_superTable, opt_superTypename) {
_SubConfidence always gets called with 3 args, no reason to mark them opt_

[kpreid2, 2013-10-01 16:54:24]

This ensures that a method for a given subtype of TameNode cannot
be applied to a different one, possibly allowing unexpected access.

Fixes <https://code.google.com/p/google-caja/issues/detail?id=1576>.

Core changes:
* Add method confidence.subtype('name') to generate subtypes. Each
  subtype has its own table but shares the private state record.
  Arguably, they should each have their own record to have their own
  namespace, but that would require major changes to handle the
  distinction and mean many tamed methods would have to perform multiple
  WeakMap lookups for one invocation.
* Introduce subtypes for TameBackedNode, TameElement, TameDocument,
  TameBackedAttributeNode, and all specific element interfaces.
* Confiding in proxies is handled by an init method on the handler ctor
  rather than finishNode.

Support for using the right subtypes:
* Added Props.ampAccessor, like Props.ampGetter plus setter.
* PT.TameMemoIf's tamer, and defineElement's constructor hook, are
  passed the private state record instead of having to do their own
  amplification.

Other changes:
* Remove shorthands nodeAmp and nodeAmplify as they encourage not
  thinking about subtypes, and eventAmp because it was unused.
* Updated foreign node test to expect a misapplied method to throw.

[kpreid2, 2013-10-01 16:55:38]

https://codereview.appspot.com/14156046/diff/1/src/com/google/caja/plugin/dom...
File src/com/google/caja/plugin/domado.js (right):

https://codereview.appspot.com/14156046/diff/1/src/com/google/caja/plugin/dom...
src/com/google/caja/plugin/domado.js:415: function _SubConfidence(typename,
opt_superTable, opt_superTypename) {
On 2013/10/01 12:46:54, felix8a wrote:
> _SubConfidence always gets called with 3 args, no reason to mark them opt_

Sorry, that's E style leaking. I don't need them to be optional, but I do want
to mark them as _nullable_. I don't know of a good way to do that, though, so
I'll take it out in favor of a comment.

[kpreid2, 2013-10-28 18:44:00]

This ensures that a method for a given subtype of TameNode cannot
be applied to a different one, possibly allowing unexpected access.

Fixes <https://code.google.com/p/google-caja/issues/detail?id=1576>.

Core changes:
* Add method confidence.subtype('name') to generate subtypes. Each
  subtype has its own table but shares the private state record.
  Arguably, they should each have their own record to have their own
  namespace, but that would require major changes to handle the
  distinction and mean many tamed methods would have to perform multiple
  WeakMap lookups for one invocation.
* Introduce subtypes for TameBackedNode, TameElement, TameDocument,
  TameBackedAttributeNode, and all specific element interfaces.
* Confiding in proxies is handled by an init method on the handler ctor
  rather than finishNode.

Support for using the right subtypes:
* Added Props.ampAccessor, like Props.ampGetter plus setter.
* PT.TameMemoIf's tamer, and defineElement's constructor hook, are
  passed the private state record instead of having to do their own
  amplification.

Other changes:
* Remove shorthands nodeAmp and nodeAmplify as they encourage not
  thinking about subtypes, and eventAmp because it was unused.
* Updated foreign node test to expect a misapplied method to throw.