Standardizing __proto__

Bradley Meck bradley.meck at
Fri Mar 18 09:39:09 PDT 2011

I see the use of setting prototypes at runtime, but with proxies I
think it is not needed, and .__proto__ is commonly used in attacks
(webkit based browser have a couple of attacks still viable using this
to get to various things). For example a prototype injection:

function foo() {};var tmp = foo.__proto__;foo.__proto__ =
{call:function(){return "win"}};foo.__proto__.__proto__ = tmp
> "win"
> undefined //works as intended

If a proposal could be made to prevent this sort of attack I think it
could gain more traction, but first I would remove it from the
original object into something like Object.setPrototype if you were to
do so. Until a safe implementation of this can be determined, I doubt
it will get much in terms of specification.


On Fri, Mar 18, 2011 at 11:29 AM, John-David Dalton
<john.david.dalton at> wrote:
> @Oliver
>> That said your examples environments that support it is slightly misleading as there's only a few JS engines being used between them: Caraken
>> (Opera person is this correct?), JavaScriptCore, SpiderMonkey and V8.   AIR uses webkit so pulls in JSC, and presumably ActionScript as well,
>> although ActionScript is not really an ES engine so i'm unsure if it counts to this discussion.
> The point is __proto__ has a very long history and is supported by
> more browsers/environments than it's not.
> @Mike Shaver
> For other possible uses please check out:
> and follow the bug report.
> _______________________________________________
> es-discuss mailing list
> es-discuss at

More information about the es-discuss mailing list