Object.prototype.* writable?

Kyle Simpson getify at gmail.com
Sat May 7 10:35:13 PDT 2011


>> It's a well known fact that overwriting anything in Object.prototype 
>> (like
>> Object.prototype.toString, for instance) is a very bad idea, because it
>> breaks for-in looping.
>
> Properties 'properly' added/updated using Object.defineProperty
> {enumerable: false} do not break for-in afaik.

I wasn't aware you could use Object.defineProperty() on `Object.prototype` 
itself. But, see below, because this part of the conversation is really 
outside the spirit of what I'm asking anyway. (I'm not talking about if my 
responsible code can do it, I'm talking about if other untrusted code does 
it first, before my code runs.)


>> 2. Would it be possible for Object.prototype.* to be read-only for
>> ES-Harmony (or even just strict mode)?
>> 3. By read-only, I mean that changes to it would just silently be 
>> discarded.
>> Alternatively (especially for strict mode), warnings/errors could be 
>> thrown
>> if attempting to override them?
>
> Doesn't Object.freeze(Object.prototype) provide exactly this behavior 
> already?

It does (I suppose), if you're positive that your code is the first code to 
run on the page. I'm more talking about code out in the wild, where 
malicious/hijacked scripts on your page could alter how the page acts before 
you're more trustworthy code is able to run. Yes, I know that the concept of 
code security is a whole can o' worms to itself, but I am just implying that 
this small thing would be helpful in protecting against some of the affects 
of such behavior.


>> I think that being able to override something like 
>> Object.prototype.toString
>> to "lie" about objects/values is a "security" hole we should consider
>> plugging. For instance, you can "lie" to
>> `document.location.href.toString()`... or a call like
>> `Object.prototype.toString.call(window.opera) == "[object Opera]"` (a 
>> common
>> browser inference for Opera) is easily fake'able.
>
> Doesn't this imply the application deliberately 'lies' to itself? Not
> sure to understand how would this be an issue?
> It might even be sort of useful for mocking.

(see above)


--Kyle

 



More information about the es-discuss mailing list