Experimental implementation of Object.observe & JS Utility library now available

Erik Arvidsson erik.arvidsson at gmail.com
Fri Aug 17 05:39:03 PDT 2012

Yes, only own properties are taken into account.

I think there might be some open issues related to __proto__ depending on
whether it ends up being an accessor or magic data property in the end.
On Aug 17, 2012 6:04 AM, "Andrea Giammarchi" <andrea.giammarchi at gmail.com>

> As far as I can tell, Object.observe(obj) create a notifier in the obj
> itself which means, after that, if you Object.prototype.whatever = 123; the
> obj notifier *won't* fire since it's not its own property and I do hope
> this works with own properties only otherwise not only we can have
> hijacking attacks but tremendous performance impact ( if a notifier has to
> automatically create a notifier up to the proto chain until the null
> prototype ... a non-sense, imho )
> On Fri, Aug 17, 2012 at 11:01 AM, gaz Heyes <gazheyes at gmail.com> wrote:
>> On 17 August 2012 10:57, Andrea Giammarchi <andrea.giammarchi at gmail.com>wrote:
>>> the Notifier is lazily instantiated and I believe not enumerable so
>>> JSON.stringify should ever expose this property.
>>> Moreover, it does not look like there is a {}.__notifier__ property
>>> anywhere, Object.getNotifier(obj) is required indeed so a WeakMap that
>>> relates the obj, and its notifier, cannot be serialized in a meaningful way
>>> via JSON.stringify neither.
>> Ah no I wasn't talking about the JSON object but remotely hacking JSON
>> feeds themselves using external scripts and hijacking the Object prototype
>> with Observe.
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120817/19534e2b/attachment.html>

More information about the es-discuss mailing list