__proto__ security

[Brendan Eich]

Gavin Barraclough wrote:
> On Feb 10, 2012, at 11:55 AM, Brendan Eich wrote:
>> "over-specifying", right? I am in favor of specifying __proto__ 
>> minimally in Annex B.
>>>  But, one thing I would like enshrined in the spec is that 
>>> `"__proto__" in Object.create(null) === false`.
>> For sure!
>
> The idea of a minimal specification sounds really encouraging.  It 
> seems there are a few really key points that everyone appears to be in 
> complete agreement on – that the __proto__ property should be a member 
> of the Object Prototype, that this should be the only mechanism 
> available to change an object's prototype, and that it should be 
> configurable.

Yes.

BTW in taking our lumps (and dishing them out at fellow members) for CSS 
WG failure to codify de-facto style property standards, I've mentioned 
Ecma turning a blind eye toward __proto__. Great to finally get a 
normative/optional spec for it (whatever one thinks of the thing 
itself). __proto__ is used by Zepto.js and other mobile frameworks.

> On Feb 10, 2012, at 3:16 PM, Brendan Eich wrote:
>> I know of no implementations that reflect __proto__ as an accessor,
>
> WebKit is using an accessor in nightly builds.

Heh, I knew that was coming. I'll amend to say "of long standing" after 
"implementations" :-P.

I still have a gut feeling that someone is going to take advantage of 
the setter for bad purposes that will be harder to block than would be 
the case if __proto__ reflected as a data property. But I can't prove this.

/be