Another de-facto insecurity we need to fix in ES5
Christian Plesner Hansen
christian.plesner.hansen at gmail.com
Thu Jun 18 01:01:27 PDT 2009
> As reason for skepticism, our v8 folk cite
> Seems like a fair chunk of those examples are in JS code that's not deployed
> on public Web sites.
Much of it is extension and browser implementation code, true. That
would still have to be rewritten unless we go for a model where we
disallow [[Prototype]] changes only for external js.
If you ignore internal js code there still seems to be a fair amount
left: code that runs in all browsers but checks that __proto__ is
present before writing to it or code that is only ever served to or
used with certain implementations (including rhino server-side).
But as Mark said, if these turn out to be non-problems or if we can
work around them then we're very sympathetic to the idea of a
More information about the es-discuss