Jan 18 meeting notes

Brendan Eich brendan at mozilla.org
Wed Jan 18 21:44:09 PST 2012

> Waldemar Horwat <mailto:waldemar at google.com>
> January 18, 2012 5:27 PM
> My rough notes from today's meeting.
Thanks yet again for these.

> Use __proto__ in object literals to do a put (assuming that a 
> __proto__ getter/setter was created in Object.prototype) instead of a 
> defineProperty?  All modes or only nonstrict mode?
> Allen: Make such use of __proto__ to be a synonym for <|.  If a <| is 
> already present, it's an error.
> DaveH: __proto__ is ugly.  Don't want it in the language forever.
> Waldemar: What about indirect [] expressions that evaluate to 
> "__proto__"?  In Firefox they evaluate to accesses that climb the 
> prototype chain and usually reach a magic 
> getter/setter-that-isn't-a-getter-setter named __proto__ that sits on 
> Object.prototype.
> MarkM: Likes the ability to delete __proto__ setter and thereby 
> prevent anything in the frame from mutating prototypes.
> Waldemar: How do you guard against cross-frame prototype mutations?
> DaveH: __proto__ is in the "omg, what were we thinking" category.
> Waldemar: Opposed to making __proto__ mutate prototypes other than at 
> object construction.  This is getting insanely complex.
> Unresolved.

One point not recorded here: given MarkM's argument for 
Object.prototype.__proto__ as the one property to delete to remove this 
old beast, what kind of property does that appear to be to ES5's 
Object.getOwnPropertyDescriptor? Arguments pro and con for data property 
(as it appears to be in SpiderMonkey) vs. accessor (JSC intended to move 
to that from its hardcoded magic id handling in Get and Put code).

Argument for data property facade: an accessor allows extracting the 
setter from the property descriptor, call it stolen__proto__setter. Then 
if one makes an object with a bespoke proto-object but not delegating to 

   var o = { __proto__: Object.create(null) };

an attacker could mutate o's [[Prototype]] via 
stolen__proto__setter.call(o, evil_proto). This is not possible if 
Object.prototype.__proto__ reflects as a data property, because o's 
two-level proto chain is cut off from Object.prototype, so no further 
means of updating [[Prototype]] is available.


More information about the es-discuss mailing list