__proto__ security

Brendan Eich brendan at mozilla.org
Sun Feb 12 14:47:09 PST 2012

Oliver Hunt wrote:
> On Feb 12, 2012, at 11:28 AM, Brendan Eich wrote:
>> Heh, I knew that was coming. I'll amend to say "of long standing" after "implementations" :-P.
>> I still have a gut feeling that someone is going to take advantage of the setter for bad purposes that will be harder to block than would be the case if __proto__ reflected as a data property. But I can't prove this.
> I'm not sure about this

Likewise, as noted -- I'm not sure but my gut is unhappy :-P.

>   -- the JSC+V8 model for __proto__ was a magic property on the object itself, not the prototype, so anything that could access an object could mutate its prototype.  Pushing the property onto the prototype doesn't add any more restrictions over that (if you can access an object, by definition you can access its prototype).

Yes, that's all clear.

>    If you pull the setter function off of the prototype you can still only apply it to objects you could already access.

The concern (no trolling here) is at least about attack surface. If 
there's no setter that can be extracted, there's no need for the "frame 
check" (however phrased). Adding that check adds more machinery to get 
wrong or have interact in unexpected ways with other moving parts.


More information about the es-discuss mailing list