On Sun, Feb 26, 2012 at 1:39 AM, David Bruant <[email protected]> wrote:
> Le 26/02/2012 01:23, Geoffrey Sneddon a écrit : > > On 13/02/12 17:55, Allen Wirfs-Brock wrote: > >> Let's try to get this back to concrete issues that I can incorporate > >> into a specification. > >> > >> The current draft is at > >> > http://wiki.ecmascript.org/lib/exe/fetch.php?id=strawman%3Amagic_proto_property&cache=cache&media=harmony:draft_proto_spec_rev2.pdf > >> > >> Gavin and Oliver seem to really want to use an accessor for > >> Object.prototype.__proto__ > > > > On the whole this is my preference too, as it practically eliminates > > special-casing for the __proto__ property, which on the whole I'm in > > favour of. > > > > I've basically implemented something close to what is attributed to > > Dave Herman on the wiki in Carakan now, albeit without the context > > check, though I agree it's a good idea. I wonder if it's > > web-compatible to disallow cross-context prototype chains (both > > through __proto__ and Object.create). > What is asked to be disallowed is only changing the prototype with > __proto__ in a cross-context manner. > Creating cross-context chains with Object.create has not been discussed > I think and should be fine... > > ....or not? > Given an attacker from context A, a defender from context D (I'll use > these letters to refer to the global object of each context). An > attacker can create an object like > ----- > var maliciousProto = Object.create(D.Object.prototype); > // Add whatever own properties to maliciousProto > > someObjectInD.__proto__ = maliciousProto > If D has already deleted F.Object.prototype.__proto__, then your attack fails at the above step. > ----- > > I was enthusiastic by Gavin Object.prototype ownership-based solution, > but it seems that as long as an attacker has the possibility to create > cross-context objects, an Object.prototype-based solution actually does > not prevent anything. > > > > The one thing I would prefer, however, would be that the setter is > > optional (i.e., it is permissible to have __proto__ have just a getter > > or have both a getter and a setter, but not just a setter). > I think that it's unrealistic since the web does use the setter as well. > If the setter was standardized as optional, all implementations would > implement it anyway. > > David > _______________________________________________ > es-discuss mailing list > [email protected] > https://mail.mozilla.org/listinfo/es-discuss > -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
