B.3.1 The __proto__ pseudo property

Axel Rauschmayer axel at rauschma.de
Sat Apr 20 16:37:13 PDT 2013

__proto__ can be globally switched off by deleting Object.prototype.__proto__. I’m assuming that that is useful for security-related applications (Caja et al.). But I’m wondering: doesn’t that go too far? I’m seeing three ways of using __proto__:

1. Read the [[Prototype]] of an object. Already possible via Object.getPrototypeOf().
2. Set the [[Prototype]] of a fresh object created via an object literal (i.e., an alternative to the rejected <| operator). Already (kind of) possible via Object.create().
3. Mutate the [[Prototype]] of an existing object.

Globally, I would only want to switch off #3.
Rationale: the only security-critical operation of the three(?) The use case for performing this operation goes mostly away by ES6 allowing us to subtype built-ins. Could #3 be forbidden in strict mode?

#1 and #2 should not be possible if an object does not have Object.prototype in its prototype chain.
Rationale: objects as dictionaries via Object.create(null) or { __proto__: null }

Dr. Axel Rauschmayer
axel at rauschma.de

home: rauschma.de
twitter: twitter.com/rauschma
blog: 2ality.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130421/772d49a2/attachment-0001.html>

More information about the es-discuss mailing list