It's a well known fact that overwriting anything in Object.prototype
(like
Object.prototype.toString, for instance) is a very bad idea, because it
breaks for-in looping.
Properties 'properly' added/updated using Object.defineProperty
{enumerable: false} do not break for-in afaik.
I wasn't aware you could use Object.defineProperty() on `Object.prototype`
itself. But, see below, because this part of the conversation is really
outside the spirit of what I'm asking anyway. (I'm not talking about if my
responsible code can do it, I'm talking about if other untrusted code does
it first, before my code runs.)
2. Would it be possible for Object.prototype.* to be read-only for
ES-Harmony (or even just strict mode)?
3. By read-only, I mean that changes to it would just silently be
discarded.
Alternatively (especially for strict mode), warnings/errors could be
thrown
if attempting to override them?
Doesn't Object.freeze(Object.prototype) provide exactly this behavior
already?
It does (I suppose), if you're positive that your code is the first code to
run on the page. I'm more talking about code out in the wild, where
malicious/hijacked scripts on your page could alter how the page acts before
you're more trustworthy code is able to run. Yes, I know that the concept of
code security is a whole can o' worms to itself, but I am just implying that
this small thing would be helpful in protecting against some of the affects
of such behavior.
I think that being able to override something like
Object.prototype.toString
to "lie" about objects/values is a "security" hole we should consider
plugging. For instance, you can "lie" to
`document.location.href.toString()`... or a call like
`Object.prototype.toString.call(window.opera) == "[object Opera]"` (a
common
browser inference for Opera) is easily fake'able.
Doesn't this imply the application deliberately 'lies' to itself? Not
sure to understand how would this be an issue?
It might even be sort of useful for mocking.
(see above)
--Kyle
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
