Re: Should the entire JS structure be Object.freeze()'d if it's exposed through a read only property?
On Thu, Jul 30, 2015 at 9:00 AM, Tim Guan-tin Chien timdr...@mozilla.com wrote: This is not as convenient as a keyword in WebIDL but I think it's good enough. You might want to chime in on https://www.w3.org/Bugs/Public/show_bug.cgi?id=29004 which is asking for something similar (though more scoped). Note though that frozen in JavaScript only freezes the properties. If the object has private state that can still be modified through other means. E.g., freezing a Set or Map might not do what you expect it to do. -- https://annevankesteren.nl/ ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Should the entire JS structure be Object.freeze()'d if it's exposed through a read only property?
On 7/13/15 2:40 AM, Tim Guan-tin Chien wrote: In that case, the right question to ask would be (A) should DOMApplication#manifest be a recursive frozen JS structure Is it a plain vanilla object with nothing hanging off it that has getter/setters? If so, that would not be unreasonable. and maybe (B) should WebIDL binding provide an keyword like DeepFrozen that could recursive freeze the exposed structure. We could do that, probably. It's not trivial, but is doable. -Boris ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Should the entire JS structure be Object.freeze()'d if it's exposed through a read only property?
On 2015-07-13 2:40 AM, Tim Guan-tin Chien wrote: On Fri, Jul 10, 2015 at 2:45 AM, Boris Zbarsky bzbar...@mit.edu wrote: On 7/9/15 4:48 AM, Tim Guan-tin Chien wrote: In this case, I modified the manifest object passed from mozApp API, and the object was subsequently removed by the platform, so did my modifications. Fabrice said I should not be modified the object since it's marked as read only in WebIDL. readonly just means the property has a getter but no setter. Whether you can then modify the value returned by the getter is a separate issue that needs to be considered as part of designing an API. I wonder if platform should protect web authors more by simply freeze the entire structure when giving it to the content. If it were a dictionary, you could use https://developer.mozilla.org/en-US/docs/Mozilla/WebIDL_bindings#Frozen. But note that freezing is not recursive, so if some of the properties are themselves objects _they_ could still be mutated... Are there any other APIs expose a structure like this? Looks like we only use [Frozen] on sequences at the moment... -Boris Thanks for reply :bz. In that case, the right question to ask would be (A) should DOMApplication#manifest be a recursive frozen JS structure, and maybe I suppose we could do that, to remove this footgun, even though I can't remember other similar examples in the platform off the top of my head. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Should the entire JS structure be Object.freeze()'d if it's exposed through a read only property?
On Fri, Jul 10, 2015 at 2:45 AM, Boris Zbarsky bzbar...@mit.edu wrote: On 7/9/15 4:48 AM, Tim Guan-tin Chien wrote: In this case, I modified the manifest object passed from mozApp API, and the object was subsequently removed by the platform, so did my modifications. Fabrice said I should not be modified the object since it's marked as read only in WebIDL. readonly just means the property has a getter but no setter. Whether you can then modify the value returned by the getter is a separate issue that needs to be considered as part of designing an API. I wonder if platform should protect web authors more by simply freeze the entire structure when giving it to the content. If it were a dictionary, you could use https://developer.mozilla.org/en-US/docs/Mozilla/WebIDL_bindings#Frozen. But note that freezing is not recursive, so if some of the properties are themselves objects _they_ could still be mutated... Are there any other APIs expose a structure like this? Looks like we only use [Frozen] on sequences at the moment... -Boris Thanks for reply :bz. In that case, the right question to ask would be (A) should DOMApplication#manifest be a recursive frozen JS structure, and maybe (B) should WebIDL binding provide an keyword like DeepFrozen that could recursive freeze the exposed structure. In essence, (A) is the API design question, (B) is the infrastructure needed should answer to (A) is an yes. I would personally vote yes on both (A) and (B). Tim ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Should the entire JS structure be Object.freeze()'d if it's exposed through a read only property?
On 7/9/15 4:48 AM, Tim Guan-tin Chien wrote: In this case, I modified the manifest object passed from mozApp API, and the object was subsequently removed by the platform, so did my modifications. Fabrice said I should not be modified the object since it's marked as read only in WebIDL. readonly just means the property has a getter but no setter. Whether you can then modify the value returned by the getter is a separate issue that needs to be considered as part of designing an API. I wonder if platform should protect web authors more by simply freeze the entire structure when giving it to the content. If it were a dictionary, you could use https://developer.mozilla.org/en-US/docs/Mozilla/WebIDL_bindings#Frozen. But note that freezing is not recursive, so if some of the properties are themselves objects _they_ could still be mutated... Are there any other APIs expose a structure like this? Looks like we only use [Frozen] on sequences at the moment... -Boris ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform