__proto__ security

Allen Wirfs-Brock allen at wirfs-brock.com
Thu Feb 9 11:54:22 PST 2012

Someone should probably ask me to just write the appropriate spec language :-)

On Feb 9, 2012, at 10:53 AM, Luke Hoban wrote:

> My takeaway from this thread is that there is support for the proposed __proto__ semantics on the wiki [1], with a few modifications/additions.  Are the following a correct summary of the deltas?
> *** Accessor vs. Data property
> Although there does not appear to be a direct security implication of exposing Object.prototype.__proto__ as a true accessor property, there is a desire to be conservative about exposing new __proto__ capabilities beyond what is actually defacto available on browsers today.  As a result, the initial value of __proto__ should appear as a data property to developers, but remain internally an accessor property.

Saying it is internally an accessor property really is describing one possible implementation.  The real semantics would be that [[Put]]/[[Get]] of "__proto__" has the appropriate side-effects (conditional upon presence of original Object.prototype.__proto__").  You can implement that anyway you want as long as it has those semantics. 

> *** Object literals
> The wiki does not currently discuss the semantics of __proto__ in object literals.  Given the desire to allow __proto__ to be removed, it seems more details are needed to nail down what this does:
but clearly {__proto__:  obj} is needed for web interoperability
>    delete Object.prototype.__proto__
>    { __proto__: {x: 1} }
> I believe there are two options: 
>  (1) __proto__ in object literals always sets the [[Prototype]], irrespective of the value of Object.prototype.__proto__ or 
>  (2) __proto__ is treated as a [[Put]] instead of a [[DefineProperty]] in the Object Intialiser rules
> The second option appears more inline with the goals of the wiki proposal.  

But we don't want {__proto__: 12} to change its standard [[DefineOwnProperty]] behavior if Object.prototype.__proto__ has been deleted.  this suggests a third option:

(3) __proto__ If the enabling Object.prototype.__proto__ property is present then __proto__ in object literals has the same [[Put]] semantics as an assignment to __proto__

> When there are multiple __proto__ in an object literal, I believe it has been suggested that this produce a SyntaxError.

Duplicate data properties definitions always throw in ES5 strict code and the last definition is used in non-strict code.

{__proto__: a, __proto__: b} is a legal non-strict object literal that whose __proto__ property has the value of b.

You can make it  a early SyntaxError as part of this extension but cause where it is a [[Prototype]] modifier or just a regular property definition is dynamically defined.  I suggest that you just follow the ES5 non-strict rules and use the last definition

> *** JSON
> I believe there is a requirement that JSON.parse('{"__proto__": {}}')  return an object with an own data property named __proto__ whose value is {}.


> Browsers currently disagree on this though.

Any that mutate [[Prototype]] in this case are introducing a new and extension that should be strongly swatted down. 

> Thanks,
> Luke
> [1] http://wiki.ecmascript.org/doku.php?id=strawman:magic_proto_property

More information about the es-discuss mailing list