Hi Axel,
Le 21/04/2013 01:37, Axel Rauschmayer a écrit :
__proto__ can be globally switched off by deleting
Object.prototype.__proto__. I'm assuming that that is useful for
security-related applications (Caja et al.). But I'm wondering:
doesn't that go too far? I'm seeing three ways of using __proto__:
1. Read the [[Prototype]] of an object. Already possible via
Object.getPrototypeOf().
2. Set the [[Prototype]] of a fresh object created via an object
literal (i.e., an alternative to the rejected <| operator). Already
(kind of) possible via Object.create().
Also possible with class syntax and the "extends" keyword (with all the
@@create internal semantics).
3. Mutate the [[Prototype]] of an existing object.
Globally, I would only want to switch off #3.
You can re-enable #1 by re-adding Object.prototype.__proto__ as your own
getter wrapping Object.getPrototypeOf. Or maybe instead of "delete
Object.prototype.__proto__", just do:
Object.defineProperty(Object.prototype, "__proto__", {set: undefined});
#2 is possible with Object.create and class syntax "extends".
Are there use cases for #2 where both Object.create and "extends" would
be inappropriate?
David
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
