getify at gmail.com
Sun May 8 18:35:20 PDT 2011
> From: Dean Landolt
> Sent: Sunday, May 08, 2011 10:17 AM
>> Unfortunately, we're back to the chicken-and-the-egg... if I could
>> guarantee that my code was the first to ever run on any page, almost none
>> of the problems I'm complaining about would be an issue, because I could
>> just make sandboxed copies of what I needed, and store them privately
>> inside a closure. Being able to "run-first" is the key component that
>> isn't true, and if it were true (which is required of "initSES.js"), then
>> I wouldn't need "initSES.js".
> Forgive me if this has come up already and I missed it but wouldn't it be
> enough if there were some mechanism to validate the integrity of
> Object.prototype by asking the host env for a fresh copy and comparing
> identities? Even if the frozen ship has sunk ISTM it ought to be enough to
> be able to reliably detect the hijacking. This would probably be best left
> to a web platform standards body but wouldn't that be a good place to
> inject that kind of unforgeable factory for Object.prototype?
I would definitely support or appreciate a mechanism by which a clean/fresh
copy of Object.prototype could be arrived at, without the hackiness of
either launching an iframe or something like that. That's what my
Object.__prototype__ was kind of getting at, a few messages ago.
I don't think it's enough to just detect that it's bad, if there's no way to
undo the badness and get at the native functionality. But giving us another
parallel interface which IS read-only would be, in my mind, a pretty simple
solution to this problem. Of course, this would need to be true not just for
Object but all the natives, like String, as well.
I'd be in favor of this as a shorter term solution than SES.
More information about the es-discuss