On Apr 20, 2013, at 4:37 PM, Axel Rauschmayer wrote:
> __proto__ can be globally switched off by deleting
> Object.prototype.__proto__. I’m assuming that that is useful for
> security-related applications (Caja et al.). But I’m wondering: doesn’t that
> go too far? I’m seeing three ways of using __proto__:
>
> 1. Read the [[Prototype]] of an object. Already possible via
> Object.getPrototypeOf().
> 2. Set the [[Prototype]] of a fresh object created via an object literal
> (i.e., an alternative to the rejected <| operator). Already (kind of)
> possible via Object.create().
Deleting Object.prototype.__proto__ will not be be specified as disabling
{__proto__: foo}. Use of __proto__ in an object literal is a distinct syntax
linked feature because the semantics of {key:value} is normally
[[DefineOwnProperty]] rather than [[Put]]. There is also no particular reason
to want to disable that usage. It is ugly but is no more insecure than any
other way of creating a new object with an explicitly provided prototype.
Also note that JSON.parse('{"__proto__": null}') does not create an object
whose [[Protoype]] is null because JSON.parse uses [[DefineOwnProperty]] to
create all its properties so this will just result in an own property whose
value is null.
> 3. Mutate the [[Prototype]] of an existing object.
>
> Globally, I would only want to switch off #3.
> Rationale: the only security-critical operation of the three(?) The use case
> for performing this operation goes mostly away by ES6 allowing us to subtype
> built-ins. Could #3 be forbidden in strict mode?
Not as the MOP is currently structured. [[Set]] does not currently have a
parameters that tells the target object whether or not a property assignment
originated from strict mode code.
>
> #1 and #2 should not be possible if an object does not have Object.prototype
> in its prototype chain.
> Rationale: objects as dictionaries via Object.create(null) or { __proto__:
> null }
yes for #1, no for #2
>
> --
> Dr. Axel Rauschmayer
> [email protected]
>
> home: rauschma.de
> twitter: twitter.com/rauschma
> blog: 2ality.com
>
> _______________________________________________
> es-discuss mailing list
> [email protected]
> https://mail.mozilla.org/listinfo/es-discuss
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
