Re: @@toStringTag spoofing for null and undefined

Sat, 24 Jan 2015 14:43:02 -0800 

> From: "Mark S. Miller" <erig...@google.com>
> To: Gary Guo <nbdd0...@hotmail.com>
> Cc: "es-discuss@mozilla.org" <es-discuss@mozilla.org>
> Date: Sat, 24 Jan 2015 07:11:35 -0800
> Subject: Re: @@toStringTag spoofing for null and undefined
> Of course it can, by tamper proofing (essentially, freezing)
Object.prototype. None of these protections are relevant anyway in an
environment in which the primordials are not locked down.

Yeah, pretty much. That proverbial inch was given a long time ago. And the
proverbial mile taken. And I highly doubt the spec is going to require
`Object.freeze(Object.prototype)`, since that prohibits future polyfills
and prolyfills of the Object prototype. Also, you could always straight up
overwrite it, but that's even harder to protect against. (And how many
cases do you know of literally overwriting built-in prototypes?)

Or, to throw out an analog to Java, it is perfectly possible to call or
even override a private method through reflection. JavaScript simply has
more accessible reflection, more often useful since it's a more dynamic
prototype-based OO language as opposed to a stricter class-based language.

>
> On Sat, Jan 24, 2015 at 6:11 AM, Gary Guo <nbdd0...@hotmail.com> wrote:
>>
>> Now I have a tendency to support the suggestion that cuts the
anti-spoofing part. If coder wants to make an object and pretend it's a
built-in, let it be. The anti-spoofing algorithm could not prevent this
case:
>> ```
>> Object.prototype.toString = function(){
>>   return '[object I_Can_Be_Anything]';
>> }
>> ```
>>

Or this:
```js
function handler() {
  throw new Error("No prototype for you!");
}

Object.defineProperty(
  Object,
  'prototype',
  {
    get: handler,
    set: handler,
    enumerable: true
  });
```

Me thinks this isn't going to get "fixed".

>> _______________________________________________
>> es-discuss mailing list
>> es-discuss@mozilla.org
>> https://mail.mozilla.org/listinfo/es-discuss
>>
>
>
>
> --
>     Cheers,
>     --MarkM
>
>

_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss

Reply via email to