__proto__ security

David Bruant bruant.d at gmail.com
Fri Feb 10 00:43:54 PST 2012

Le 10/02/2012 09:23, Gavin Barraclough a écrit :
> On Feb 9, 2012, at 7:18 PM, Allen Wirfs-Brock wrote:
>> I would expect Gavin's approach to ultimately be even worse than mine 
>> from a semantic analysis perspective. It expose (via 
>> Object.getOwnPropertyDescriptor)  functions that have the ability to 
>> mutate any object's [[Prototype]] property and one those functions 
>> are exposed they can be installed as methods or explicitly called at 
>> any time.  I think that tame them is likely to have even greater 
>> impact than what I have done.  Certainly, for the ES5 language level 
>> (which is what my current spec. addresses) there is no way to talk 
>> about frames or the association of one of these functions or any 
>> other object with a frame.  With my approach there is no need to 
>> match the proto mutator function's frame with the target object's 
>> frame, because there is no mutator function.
> Hi Allen,
> I completely agree with you that frame-based checks should not be a 
> part of the solution, however they are no more necessary if __proto__ 
> is an accessor property then if it is a data descriptor.  The solution 
> I proposed was that the [[ProtoSetter]] should hold a private 
> reference to the Object Prototype upon which it is initially assigned, 
> and that upon being invoked it should walk the this object's prototype 
> chain to see if it any entry matches the stored value.  With a check 
> such as this in place (I expect there are other ways we could achieve 
> this), it would not be possible to apply a given [[ProtoSetter]] to 
> any object other than those upon which it would initially have been 
> available to operate via the Object Prototype.
Maybe I'm missing something, but what you're proposing is *exactly* a 
frame-based check.
By assuming there can exist several [[ProtoSetter]] and several 
Object.prototype, you're implicitely saying that there are several 
frames. You do not name them, but I can't see the difference between a 
frame and "a context where objects inherit from a particular 

What you're doing is identifying a frame to the identity of its 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120210/4f191be0/attachment.html>

More information about the es-discuss mailing list