Put better, the spec requires that Object.freeze(Object.prototype) works.
On Sat, Jan 24, 2015 at 2:57 PM, Mark Miller <[email protected]> wrote: > > > On Sat, Jan 24, 2015 at 2:42 PM, Isiah Meadows <[email protected]> > wrote: > >> > From: "Mark S. Miller" <[email protected]> >> > To: Gary Guo <[email protected]> >> > Cc: "[email protected]" <[email protected]> >> > Date: Sat, 24 Jan 2015 07:11:35 -0800 >> > Subject: Re: @@toStringTag spoofing for null and undefined >> > Of course it can, by tamper proofing (essentially, freezing) >> Object.prototype. None of these protections are relevant anyway in an >> environment in which the primordials are not locked down. >> >> Yeah, pretty much. That proverbial inch was given a long time ago. And >> the proverbial mile taken. And I highly doubt the spec is going to require >> `Object.freeze(Object.prototype)`, >> > Of course not. The key is the spec allows it. SES makes use of that. > > > > > >> since that prohibits future polyfills and prolyfills of the Object >> prototype. Also, you could always straight up overwrite it, but that's even >> harder to protect against. (And how many cases do you know of literally >> overwriting built-in prototypes?) >> >> Or, to throw out an analog to Java, it is perfectly possible to call or >> even override a private method through reflection. JavaScript simply has >> more accessible reflection, more often useful since it's a more dynamic >> prototype-based OO language as opposed to a stricter class-based language. >> >> > >> > On Sat, Jan 24, 2015 at 6:11 AM, Gary Guo <[email protected]> wrote: >> >> >> >> Now I have a tendency to support the suggestion that cuts the >> anti-spoofing part. If coder wants to make an object and pretend it's a >> built-in, let it be. The anti-spoofing algorithm could not prevent this >> case: >> >> ``` >> >> Object.prototype.toString = function(){ >> >> return '[object I_Can_Be_Anything]'; >> >> } >> >> ``` >> >> >> >> Or this: >> ```js >> function handler() { >> throw new Error("No prototype for you!"); >> } >> >> Object.defineProperty( >> Object, >> 'prototype', >> { >> get: handler, >> set: handler, >> enumerable: true >> }); >> ``` >> >> Me thinks this isn't going to get "fixed". >> >> >> _______________________________________________ >> >> es-discuss mailing list >> >> [email protected] >> >> https://mail.mozilla.org/listinfo/es-discuss >> >> >> > >> > >> > >> > -- >> > Cheers, >> > --MarkM >> > >> > >> >> _______________________________________________ >> es-discuss mailing list >> [email protected] >> https://mail.mozilla.org/listinfo/es-discuss >> >> > > > -- > Text by me above is hereby placed in the public domain > > Cheers, > --MarkM > -- Text by me above is hereby placed in the public domain Cheers, --MarkM
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
