__proto__ security

Mark S. Miller erights at google.com
Sat Jan 28 20:51:28 PST 2012


On Sat, Jan 28, 2012 at 12:16 PM, Brendan Eich <brendan at mozilla.org> wrote:

> I don't think we should change __proto__ unnecessarily from current
> implementations, including making it an accessor. Neither JSC nor
> SpiderMonkey does that.
>
> We do need the ability to delete it, so it should live on Object.prototype
> and be configurable.
>
> Ignoring the "don't gild the lily" (or "don't polish the turd") advice
> above, if we *do* reflect __proto__ as an accessor, then the same-frame
> problem still exists. Perhaps it can be solved by proxies, but why require
> that?
>

And what is the connection with proxies? I don't get it.


-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120128/1b099bb0/attachment.html>


More information about the es-discuss mailing list