__proto__ security

Gavin Barraclough barraclough at apple.com
Mon Feb 13 11:43:11 PST 2012

On Feb 12, 2012, at 11:28 AM, Brendan Eich wrote:
> Heh, I knew that was coming. I'll amend to say "of long standing" after "implementations" :-P.


> I still have a gut feeling that someone is going to take advantage of the setter for bad purposes that will be harder to block than would be the case if __proto__ reflected as a data property. But I can't prove this.

Understood.  We needed to change our implementation to fix ES5 compatibility issues with our prior mechanism.  Implementing this internally as a accessor is much cleaner for us, and I think we'd want to keep it implemented this way even if we were to add the magic necessary to allow us to make it masquerade as a data descriptor (I still firmly side with Mark's strawman as to how this should be presented to users, but I didn't intend our current implementation to preclude alternatives).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120213/5ce8081b/attachment-0001.html>

More information about the es-discuss mailing list