B.3.1 The __proto__ pseudo property

David Bruant bruant.d at gmail.com
Sun Apr 21 05:22:00 PDT 2013


Hi Axel,

Le 21/04/2013 01:37, Axel Rauschmayer a écrit :
> __proto__ can be globally switched off by deleting 
> Object.prototype.__proto__. I'm assuming that that is useful for 
> security-related applications (Caja et al.). But I'm wondering: 
> doesn't that go too far? I'm seeing three ways of using __proto__:
>
> 1. Read the [[Prototype]] of an object. Already possible via 
> Object.getPrototypeOf().
> 2. Set the [[Prototype]] of a fresh object created via an object 
> literal (i.e., an alternative to the rejected <| operator). Already 
> (kind of) possible via Object.create().
Also possible with class syntax and the "extends" keyword (with all the 
@@create internal semantics).

> 3. Mutate the [[Prototype]] of an existing object.
>
> Globally, I would only want to switch off #3.
You can re-enable #1 by re-adding Object.prototype.__proto__ as your own 
getter wrapping Object.getPrototypeOf. Or maybe instead of "delete 
Object.prototype.__proto__", just do:
     Object.defineProperty(Object.prototype, "__proto__", {set: undefined});

#2 is possible with Object.create and class syntax "extends".
Are there use cases for #2 where both Object.create and  "extends" would 
be inappropriate?

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130421/d5251b1a/attachment.html>


More information about the es-discuss mailing list