__proto__ security
David Bruant
bruant.d at gmail.com
Fri Feb 10 00:43:54 PST 2012
Le 10/02/2012 09:23, Gavin Barraclough a écrit :
> On Feb 9, 2012, at 7:18 PM, Allen Wirfs-Brock wrote:
>
>> I would expect Gavin's approach to ultimately be even worse than mine
>> from a semantic analysis perspective. It expose (via
>> Object.getOwnPropertyDescriptor) functions that have the ability to
>> mutate any object's [[Prototype]] property and one those functions
>> are exposed they can be installed as methods or explicitly called at
>> any time. I think that tame them is likely to have even greater
>> impact than what I have done. Certainly, for the ES5 language level
>> (which is what my current spec. addresses) there is no way to talk
>> about frames or the association of one of these functions or any
>> other object with a frame. With my approach there is no need to
>> match the proto mutator function's frame with the target object's
>> frame, because there is no mutator function.
>
> Hi Allen,
>
> I completely agree with you that frame-based checks should not be a
> part of the solution, however they are no more necessary if __proto__
> is an accessor property then if it is a data descriptor. The solution
> I proposed was that the [[ProtoSetter]] should hold a private
> reference to the Object Prototype upon which it is initially assigned,
> and that upon being invoked it should walk the this object's prototype
> chain to see if it any entry matches the stored value. With a check
> such as this in place (I expect there are other ways we could achieve
> this), it would not be possible to apply a given [[ProtoSetter]] to
> any object other than those upon which it would initially have been
> available to operate via the Object Prototype.
Maybe I'm missing something, but what you're proposing is *exactly* a
frame-based check.
By assuming there can exist several [[ProtoSetter]] and several
Object.prototype, you're implicitely saying that there are several
frames. You do not name them, but I can't see the difference between a
frame and "a context where objects inherit from a particular
Object.prototype".
What you're doing is identifying a frame to the identity of its
Object.prototype.
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120210/4f191be0/attachment.html>
More information about the es-discuss
mailing list