Actually, I withdraw that last sentence. Such protections are relevant as well in some specialized circumstances in which the trusted code runs first and squirrels away the relevant primordials such as Object.prototype.toString before it can be corrupted. Extra care is needed to avoid using it later as savedToString.call(obj) since that would leave it open to poisoning of Function.prototype.call.
See http://wiki.ecmascript.org/doku.php?id=conventions:safe_meta_programming On Sat, Jan 24, 2015 at 7:11 AM, Mark S. Miller <[email protected]> wrote: > Of course it can, by tamper proofing (essentially, freezing) > Object.prototype. None of these protections are relevant anyway in an > environment in which the primordials are not locked down. > > On Sat, Jan 24, 2015 at 6:11 AM, Gary Guo <[email protected]> wrote: > >> Now I have a tendency to support the suggestion that cuts the >> anti-spoofing part. If coder wants to make an object and pretend it's a >> built-in, let it be. The anti-spoofing algorithm could not prevent this >> case: >> ``` >> Object.prototype.toString = function(){ >> return '[object I_Can_Be_Anything]'; >> } >> ``` >> >> _______________________________________________ >> es-discuss mailing list >> [email protected] >> https://mail.mozilla.org/listinfo/es-discuss >> >> > > > -- > Cheers, > --MarkM > > _______________________________________________ > es-discuss mailing list > [email protected] > https://mail.mozilla.org/listinfo/es-discuss > > -- Text by me above is hereby placed in the public domain Cheers, --MarkM
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
