__proto__ security

David Bruant bruant.d at gmail.com
Sun Feb 26 01:39:49 PST 2012

Le 26/02/2012 01:23, Geoffrey Sneddon a écrit :
> On 13/02/12 17:55, Allen Wirfs-Brock wrote:
>> Let's try to get this back to concrete issues that I can incorporate
>> into a specification.
>> The current draft is at
>> http://wiki.ecmascript.org/lib/exe/fetch.php?id=strawman%3Amagic_proto_property&cache=cache&media=harmony:draft_proto_spec_rev2.pdf
>> Gavin and Oliver seem to really want to use an accessor for 
>> Object.prototype.__proto__
> On the whole this is my preference too, as it practically eliminates
> special-casing for the __proto__ property, which on the whole I'm in
> favour of.
> I've basically implemented something close to what is attributed to
> Dave Herman on the wiki in Carakan now, albeit without the context
> check, though I agree it's a good idea. I wonder if it's
> web-compatible to disallow cross-context prototype chains (both
> through __proto__ and Object.create).
What is asked to be disallowed is only changing the prototype with
__proto__ in a cross-context manner.
Creating cross-context chains with Object.create has not been discussed
I think and should be fine...

....or not?
Given an attacker from context A, a defender from context D (I'll use
these letters to refer to the global object of each context). An
attacker can create an object like
var maliciousProto = Object.create(D.Object.prototype);
// Add whatever own properties to maliciousProto

someObjectInD.__proto__ = maliciousProto

I was enthusiastic by Gavin Object.prototype ownership-based solution,
but it seems that as long as an attacker has the possibility to create
cross-context objects, an Object.prototype-based solution actually does
not prevent anything.

> The one thing I would prefer, however, would be that the setter is
> optional (i.e., it is permissible to have __proto__ have just a getter
> or have both a getter and a setter, but not just a setter).
I think that it's unrealistic since the web does use the setter as well.
If the setter was standardized as optional, all implementations would
implement it anyway.


More information about the es-discuss mailing list