On Sun, May 8, 2011 at 00:35, Kyle Simpson <[email protected]> wrote: >> Doesn't Object.freeze(Object.prototype) provide exactly this behavior >> already? > > It does (I suppose), if you're positive that your code is the first code to > run on the page. I'm more talking about code out in the wild, where > malicious/hijacked scripts on your page could alter how the page acts before > you're more trustworthy code is able to run. Yes, I know that the concept of > code security is a whole can o' worms to itself, but I am just implying that > this small thing would be helpful in protecting against some of the affects > of such behavior.
I see. On the other hand when a malicious/hijacked script loads before "trustworthy code", all bets are off anyways. The malicious script could schedule patching newly loaded code directly without even overwriting Object.prototype (eg. to reuse your example, it could replace document.location.href occurences with a string constant in the 'trustworthy' function source directly). This means forbidding overwriting properties of Object.prototype would be 'security by obscurity' at best imho. Regards, _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
