Last call: Function

Mark S. Miller erights at google.com
Thu Mar 20 17:50:51 PDT 2008


2008/3/20 Lars Hansen <lhansen at adobe.com>:
> Last call for comments on the Function spec.


* There's a conflict between defining call, apply, and bind as static
methods on the Function constructor vs defining them as instance
methods on functions (or as members of Function.prototype). The
problem is that the Function constructor is itself a function. When we
see

    Function.call(...)

is this invoking the static "call" method of the function constructor,
or is it invoking the instance "call" method common to all functions?


* At the last ES-wide face-to-face, I thought we'd all agreed that the
value of the thisObj argument to call/apply/bind, no matter what this
value is, would be the value that gets bound to "this" in the called
function. If I understand this proposed spec, f.call(null, ...) would
invoke f with its "this" bound to the global object. That behavior
makes JavaScript harder to secure, since this implicit access to the
global object enable privilege escalation attacks. Such implicit
access to the global object also prevents garbage collection
opportunities: In a frame in which the global object were otherwise
inaccessible, it would still need to be retained by any function that
might be called so as to manufacture access to the global object.

-- 
 Cheers,
 --MarkM



More information about the Es4-discuss mailing list