__proto__ security

Luke Hoban lukeh at microsoft.com
Thu Feb 9 10:53:48 PST 2012

My takeaway from this thread is that there is support for the proposed __proto__ semantics on the wiki [1], with a few modifications/additions.  Are the following a correct summary of the deltas?

*** Accessor vs. Data property
Although there does not appear to be a direct security implication of exposing Object.prototype.__proto__ as a true accessor property, there is a desire to be conservative about exposing new __proto__ capabilities beyond what is actually defacto available on browsers today.  As a result, the initial value of __proto__ should appear as a data property to developers, but remain internally an accessor property.

*** Object literals
The wiki does not currently discuss the semantics of __proto__ in object literals.  Given the desire to allow __proto__ to be removed, it seems more details are needed to nail down what this does:

    delete Object.prototype.__proto__
    { __proto__: {x: 1} }

I believe there are two options: 
  (1) __proto__ in object literals always sets the [[Prototype]], irrespective of the value of Object.prototype.__proto__ or 
  (2) __proto__ is treated as a [[Put]] instead of a [[DefineProperty]] in the Object Intialiser rules

The second option appears more inline with the goals of the wiki proposal.  

When there are multiple __proto__ in an object literal, I believe it has been suggested that this produce a SyntaxError.

*** JSON
I believe there is a requirement that JSON.parse('{"__proto__": {}}')  return an object with an own data property named __proto__ whose value is {}.  Browsers currently disagree on this though.


 [1] http://wiki.ecmascript.org/doku.php?id=strawman:magic_proto_property

More information about the es-discuss mailing list