__proto__ security

Allen Wirfs-Brock allen at wirfs-brock.com
Fri Feb 10 08:14:25 PST 2012

On Feb 10, 2012, at 3:46 AM, Tom Van Cutsem wrote:

> Hi,
> I'm also in favor of exposing __proto__ as an accessor on the grounds that it is least magical. I'm worried that the changes made here to the core internal methods [[Get]], [[Put]], [[DefineOwnProperty]] and [[Delete]] will give proxies a hard time to properly emulate this behavior if they would want to do that. How would a proxy handler be able to access the internal variable UnderscoreProtoEnabled?

function UnderScopeProtoEnabled() {
   var p={};
   return Object.getPrototypeOf({__proto__:p})===p;

I believe the root question is whether we are willing to expose for arbitrary usage a function that is able to modify the [[Prototype]] of any object.  EG:

    Object.setPrototypeOf = function (obj,proto) {Object.getOwnPropertyDescriptor(Object.getPrototypeOf({}),"__proto__").set.call(obj,proto)};

Once we have don this, that function can be used in arbitrary places, including as or within get and set functions of any accessor property with any name on any object.

> (I currently assume that in any event, aProxy.__proto__ would just trigger the "get" trap for "__proto__" and that all of this magical behavior does not apply to proxies, only built-in normal objects.)


> Also +1 to Gavin's proposed alternative to the frame-check.

Yes, Gavin check amounts to the same thing  as mine, once you allow for differences in how we define Object.prototype.__proto

The important ifference is whether that check is make in the internals of a function that is visible as an accessor get function or whether the check is hidden inside the implementation of the standard internal methods.


More information about the es-discuss mailing list