B.3.1 The __proto__ pseudo property

Allen Wirfs-Brock allen at wirfs-brock.com
Sun Apr 21 08:55:10 PDT 2013

On Apr 20, 2013, at 4:37 PM, Axel Rauschmayer wrote:

> __proto__ can be globally switched off by deleting Object.prototype.__proto__. I’m assuming that that is useful for security-related applications (Caja et al.). But I’m wondering: doesn’t that go too far? I’m seeing three ways of using __proto__:
> 1. Read the [[Prototype]] of an object. Already possible via Object.getPrototypeOf().
> 2. Set the [[Prototype]] of a fresh object created via an object literal (i.e., an alternative to the rejected <| operator). Already (kind of) possible via Object.create().

Deleting Object.prototype.__proto__ will not be be specified as disabling {__proto__: foo}.  Use of __proto__  in an object literal  is a distinct syntax linked feature because the semantics of {key:value} is normally [[DefineOwnProperty]] rather than [[Put]].  There is also no particular reason to want to disable that usage.  It is ugly but is no more insecure than any other way of creating a new object with an explicitly provided prototype.

 Also note that JSON.parse('{"__proto__": null}') does not create an object whose [[Protoype]] is null because JSON.parse uses [[DefineOwnProperty]] to create all its properties so this will just result in an own property whose value is null.

> 3. Mutate the [[Prototype]] of an existing object.
> Globally, I would only want to switch off #3.
> Rationale: the only security-critical operation of the three(?) The use case for performing this operation goes mostly away by ES6 allowing us to subtype built-ins. Could #3 be forbidden in strict mode?

Not as the MOP is currently structured.  [[Set]] does not currently have a parameters that tells the target object whether or not a property assignment originated from strict mode code.

> #1 and #2 should not be possible if an object does not have Object.prototype in its prototype chain.
> Rationale: objects as dictionaries via Object.create(null) or { __proto__: null }

yes for #1, no for #2

> -- 
> Dr. Axel Rauschmayer
> axel at rauschma.de
> home: rauschma.de
> twitter: twitter.com/rauschma
> blog: 2ality.com
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130421/ca130b41/attachment-0001.html>

More information about the es-discuss mailing list