Object.prototype.* writable?

Kyle Simpson getify at gmail.com
Sun May 8 18:35:20 PDT 2011


> From: Dean Landolt
> Sent: Sunday, May 08, 2011 10:17 AM
>
>> Unfortunately, we're back to the chicken-and-the-egg... if I could 
>> guarantee that my code was the first to ever run on any page, almost none 
>> of the problems I'm complaining about would be an issue, because I could 
>> just make sandboxed copies of what I needed, and store them privately 
>> inside a closure. Being able to "run-first" is the key component that 
>> isn't true, and if it were true (which is required of "initSES.js"), then 
>> I wouldn't need "initSES.js".
>
> Forgive me if this has come up already and I missed it but wouldn't it be 
> enough if there were some mechanism to validate the integrity of 
> Object.prototype by asking the host env for a fresh copy and comparing 
> identities? Even if the frozen ship has sunk ISTM it ought to be enough to 
> be able to reliably detect the hijacking. This would probably be best left 
> to a web platform standards body but wouldn't that be a good place to 
> inject that kind of unforgeable factory for Object.prototype?

I would definitely support or appreciate a mechanism by which a clean/fresh 
copy of Object.prototype could be arrived at, without the hackiness of 
either launching an iframe or something like that. That's what my 
Object.__prototype__ was kind of getting at, a few messages ago.

I don't think it's enough to just detect that it's bad, if there's no way to 
undo the badness and get at the native functionality. But giving us another 
parallel interface which IS read-only would be, in my mind, a pretty simple 
solution to this problem. Of course, this would need to be true not just for 
Object but all the natives, like String, as well.

I'd be in favor of this as a shorter term solution than SES.

--Kyle




More information about the es-discuss mailing list