On Jan 19, 2015, at 2:59 PM, Nicholas C. Zakas wrote:
> According to 19.1.3.6 Object.prototype.toString() [1], it's possible to do
> this:
>
> ```js
> function Foo(){}
>
> Foo.prototype[Symbol.toStringTag] = "Null";
>
> Object.prototype.toString.call(new Foo()); // "[object Null]"
> ```
>
> It seems like `"Null"` and `"Undefined"` should be added to the step 17(b)
> list of exceptions to prevent spoofing of null and undefined values using
> this approach.
>
> I couldn't think of a reason why the current behavior would make sense, but
> if I'm off base, feel free to correct me. :)
>
> [1]:
> https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.prototype.tostring
>
Let's be clear, the legacy usage we are trying to preserve is specifically
detecting whether an object is one of those than in ES5 would of had a
[[Class]] value that was one of "Function", "Array", "RegExp", "Date",
"Arguments", "Error", "String", "Number", "Boolean".
In ES<=5, O.p.toString just reported, an object's [[Class]] value and no object
created using a JS level constructor could have those specific [[Class]]
values. So O.P.toString worked as a brand check for those specific built-in
object representations.
We can't know everything JS programmers might have used that brand check for,
so we need to preserve that O.p.toString behavior for those specific built-ins.
Part of the behavior we want to preserve is that only the implementation
provided built-ins could eturn those specific values via O.p.toString (this was
a requirement introduced by ES5). The spoofing protection is design to
preserve that requirement.
"null" and "undefined" were never [[Class]] values. And where actually
introduced into O.p.toString by ES5.1 to fix a specific problem that was
discovered after ES5 was completed(see threads starting at
https://mail.mozilla.org/pipermail/es5-discuss/2010-June/003581.html and
https://mail.mozilla.org/pipermail/es5-discuss/2010-June/003585.html ).
I find it a stretch to believe that anyone is depending upon using O.p.toString
as a non-spoofable brand check for null or undefined.
Allen
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss