On Sat, Jan 24, 2015 at 2:42 PM, Isiah Meadows <[email protected]> wrote:
> > From: "Mark S. Miller" <[email protected]> > > To: Gary Guo <[email protected]> > > Cc: "[email protected]" <[email protected]> > > Date: Sat, 24 Jan 2015 07:11:35 -0800 > > Subject: Re: @@toStringTag spoofing for null and undefined > > Of course it can, by tamper proofing (essentially, freezing) > Object.prototype. None of these protections are relevant anyway in an > environment in which the primordials are not locked down. > > Yeah, pretty much. That proverbial inch was given a long time ago. And the > proverbial mile taken. And I highly doubt the spec is going to require > `Object.freeze(Object.prototype)`, > Of course not. The key is the spec allows it. SES makes use of that. > since that prohibits future polyfills and prolyfills of the Object > prototype. Also, you could always straight up overwrite it, but that's even > harder to protect against. (And how many cases do you know of literally > overwriting built-in prototypes?) > > Or, to throw out an analog to Java, it is perfectly possible to call or > even override a private method through reflection. JavaScript simply has > more accessible reflection, more often useful since it's a more dynamic > prototype-based OO language as opposed to a stricter class-based language. > > > > > On Sat, Jan 24, 2015 at 6:11 AM, Gary Guo <[email protected]> wrote: > >> > >> Now I have a tendency to support the suggestion that cuts the > anti-spoofing part. If coder wants to make an object and pretend it's a > built-in, let it be. The anti-spoofing algorithm could not prevent this > case: > >> ``` > >> Object.prototype.toString = function(){ > >> return '[object I_Can_Be_Anything]'; > >> } > >> ``` > >> > > Or this: > ```js > function handler() { > throw new Error("No prototype for you!"); > } > > Object.defineProperty( > Object, > 'prototype', > { > get: handler, > set: handler, > enumerable: true > }); > ``` > > Me thinks this isn't going to get "fixed". > > >> _______________________________________________ > >> es-discuss mailing list > >> [email protected] > >> https://mail.mozilla.org/listinfo/es-discuss > >> > > > > > > > > -- > > Cheers, > > --MarkM > > > > > > _______________________________________________ > es-discuss mailing list > [email protected] > https://mail.mozilla.org/listinfo/es-discuss > > -- Text by me above is hereby placed in the public domain Cheers, --MarkM
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
