How to clean up __proto__ (was: Why we need to clean up __proto__)

David Bruant bruant.d at gmail.com
Thu Dec 29 04:49:06 PST 2011


Le 29/12/2011 12:38, Lasse Reichstein a écrit :
> There is one side-effect to defining __proto__ using a getter/setter
> property. You can extract the setter and store it for later, allowing
> you to change the prototype of objects after someone else deleted the
> __proto__ property.
>
> That means that if you're not the first script to run on a page, you
> can't know for sure that you can remove the setting-of-proto ability.
> But then again, if you're not the first script to run, you can't even
> know that you can remove it, or trust anything ever again, so it's not
> really a (new) problem, more of an observation.
I don't have a formal proof of it, but it seems that the security of a
webpage depends of who runs first. Basically, the first-runner has all
hands to alterate the environment as desired (in defensive or offensive
ways).

David


More information about the es-discuss mailing list