cedricv at neonux.com
Sat May 7 10:59:52 PDT 2011
On Sun, May 8, 2011 at 00:35, Kyle Simpson <getify at gmail.com> wrote:
>> Doesn't Object.freeze(Object.prototype) provide exactly this behavior
> It does (I suppose), if you're positive that your code is the first code to
> run on the page. I'm more talking about code out in the wild, where
> malicious/hijacked scripts on your page could alter how the page acts before
> you're more trustworthy code is able to run. Yes, I know that the concept of
> code security is a whole can o' worms to itself, but I am just implying that
> this small thing would be helpful in protecting against some of the affects
> of such behavior.
On the other hand when a malicious/hijacked script loads before
"trustworthy code", all bets are off anyways.
The malicious script could schedule patching newly loaded code
directly without even overwriting Object.prototype (eg. to reuse your
example, it could replace document.location.href occurences with a
string constant in the 'trustworthy' function source directly).
This means forbidding overwriting properties of Object.prototype would
be 'security by obscurity' at best imho.
More information about the es-discuss