On __proto__ as a magical data property
brendan at mozilla.org
Wed Jul 18 11:17:28 PDT 2012
Jeff Walden wrote:
> I can buy the argument the setter shouldn't be exposed, more or less. I don't think it presents intrinsic*danger* except in an ocap-y sense, but maybe I'm missing some concrete example.
Nothing to do with ocap per se here. As David wrote in a followup, TC39
came to reject the accessor reflection because it degrades defense in
depth. We do not only rely on one line of defense. We've had bugs where
some malware can get its hands on a powerful accessor and abuse it, in
spite of shallow (or just not deep enough) defenses elsewhere.
There's no "agree to disagree", we have a draft spec, we need to follow
it or lobby to change it. If anyone lobbies again for accessor, they
must confront the defense in depth argument against full reflecting the
accessor (in particular not poisoning the setter).
More information about the es-discuss