On __proto__ as a magical data property

Brendan Eich brendan at mozilla.org
Wed Jul 18 11:17:28 PDT 2012


Jeff Walden wrote:
> I can buy the argument the setter shouldn't be exposed, more or less.  I don't think it presents intrinsic*danger*  except in an ocap-y sense, but maybe I'm missing some concrete example.

Nothing to do with ocap per se here. As David wrote in a followup, TC39 
came to reject the accessor reflection because it degrades defense in 
depth. We do not only rely on one line of defense. We've had bugs where 
some malware can get its hands on a powerful accessor and abuse it, in 
spite of shallow (or just not deep enough) defenses elsewhere.

There's no "agree to disagree", we have a draft spec, we need to follow 
it or lobby to change it. If anyone lobbies again for accessor, they 
must confront the defense in depth argument against full reflecting the 
accessor (in particular not poisoning the setter).

/be


More information about the es-discuss mailing list