> From: "Mark S. Miller" <erig...@google.com> > To: Gary Guo <nbdd0...@hotmail.com> > Cc: "es-discuss@mozilla.org" <es-discuss@mozilla.org> > Date: Sat, 24 Jan 2015 07:11:35 -0800 > Subject: Re: @@toStringTag spoofing for null and undefined > Of course it can, by tamper proofing (essentially, freezing) Object.prototype. None of these protections are relevant anyway in an environment in which the primordials are not locked down.
Yeah, pretty much. That proverbial inch was given a long time ago. And the proverbial mile taken. And I highly doubt the spec is going to require `Object.freeze(Object.prototype)`, since that prohibits future polyfills and prolyfills of the Object prototype. Also, you could always straight up overwrite it, but that's even harder to protect against. (And how many cases do you know of literally overwriting built-in prototypes?) Or, to throw out an analog to Java, it is perfectly possible to call or even override a private method through reflection. JavaScript simply has more accessible reflection, more often useful since it's a more dynamic prototype-based OO language as opposed to a stricter class-based language. > > On Sat, Jan 24, 2015 at 6:11 AM, Gary Guo <nbdd0...@hotmail.com> wrote: >> >> Now I have a tendency to support the suggestion that cuts the anti-spoofing part. If coder wants to make an object and pretend it's a built-in, let it be. The anti-spoofing algorithm could not prevent this case: >> ``` >> Object.prototype.toString = function(){ >> return '[object I_Can_Be_Anything]'; >> } >> ``` >> Or this: ```js function handler() { throw new Error("No prototype for you!"); } Object.defineProperty( Object, 'prototype', { get: handler, set: handler, enumerable: true }); ``` Me thinks this isn't going to get "fixed". >> _______________________________________________ >> es-discuss mailing list >> es-discuss@mozilla.org >> https://mail.mozilla.org/listinfo/es-discuss >> > > > > -- > Cheers, > --MarkM > >
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss