__proto__

[David Teller]

On Tue, 2007-09-11 at 13:47 -0700, Kris Zyp wrote:
> 
> 
>         __proto__ breaks abstraction boundaries in the language --
>         it's just
>  
> Hiding for the sake abstraction is more valuable than introspective
> visibility? I disagree, at least with JavaScript, IMHO JS's
> introspective nature is one of it's greatest strengths. Is there a
> precedence for this in other languages? Java is big on abstractions
> but inheritance is still introspectable (I realize that is not
> completely the same). And I believe that Self, the closest relative,
> makes the proto available throught .parent* property (I could be wrong
> about that).

I'd like a few cents on the subject of attacks: my research team is
working on security in the context of Firefox extensions. While
extensions are not the main focus of JavaScript, security decisions for
JS2 will be critical for them.

One thing many applications/extensions need is a way to actually hide
some information from other applications/extensions. While there's no
way to fully hide something from someone who can mingle with the VM, at
least, there should be some limits to JS2's introspections capabilities,
unless we want extensions to become vectors for
credit-card-number-stealing-attack .

I realise that a read-only __proto__ probably can't be used for this
type of attacks. But, well, I wanted this to be said before
"introspection rulez" becomes written in stone.

Cheers,
 David

-- 
David Teller ------------------------------------------
Security of Distributed Systems -----------------------
-- http://www.univ-orleans.fr/lifo/Members/David.Teller
----- Laboratoire d'Informatique Fondamentale d'Orleans