B.3.1 The __proto__ pseudo property

Andrea Giammarchi andrea.giammarchi at gmail.com
Sun Apr 21 12:07:12 PDT 2013


V8 already poisons when getOwnPropertyDescriptor has a setter and this
setters is the __proto__ one:
https://code.google.com/p/v8/source/browse/trunk/src/v8natives.js#390

This means V8 always throws and does not preserve the same realm, if I
understand what that means:

document.body.appendChild(document.createElement('iframe'))
frames[0].Object.prototype.__proto__ = Object.prototype;
Array.prototype.__proto__ = frames[0].Array.prototype;

Or maybe was about cross domain security ?

I've also already landed a bug+patch for V8 so that a flag at launch time
can eventually make that setter available:
https://code.google.com/p/v8/issues/detail?id=2645

Let's see how this goes



On Sun, Apr 21, 2013 at 11:53 AM, Brendan Eich <brendan at mozilla.com> wrote:

> Allen Wirfs-Brock wrote:
>
>> On Apr 21, 2013, at 11:12 AM, Brendan Eich wrote:
>>
>>  David Herman wrote:
>>>
>>>> On Apr 21, 2013, at 8:55 AM, Allen Wirfs-Brock<allen at wirfs-brock.**com<allen at wirfs-brock.com>>
>>>>   wrote:
>>>>
>>>>  Deleting Object.prototype.__proto__ will not be be specified as
>>>>> disabling {__proto__: foo}.
>>>>>
>>>> Was that what we'd agreed to?
>>>>
>>> I think what Allen means is, whether or not there's a magic
>>> Object.prototype.__proto__, you can
>>>
>>
> Note "can" here.
>
>
>    define (as in [[DefineOwnProperty]]) a plain old data property (or an
>>> accessor, for that matter, just different syntax) whose name is '__proto__'
>>> in an object literal.
>>>
>>
>> No, see the spec. strawman I posted.
>>
>> What I mean is that:
>>      let obj = {__proto__: null}
>> will always create an object whose [[Prototype]] is null.  Regardless of
>> whether or not anybody has done:
>>     delete Object.prototype.__proto__.
>>
>
> Yes, that's what I just wrote!
>
> What part was unclear?
>
>
>  There is no good reason to link the semantics of __proto__ in an object
>> literal to the existence of Dunder proto on Object.prototype.  The standard
>> semantics of object literal properties in ES5 have no dependencies upon the
>> shape of Object.prototype.
>>
>
> We agree.
>
>
>  This is specified by ES5, already.
>>>
>>
>> Doesn't matter because what ES5 specifies is already incompatible with
>> web reality when the property name is  __proto__.
>>
>
> No. Browsers implementing ES5 and de-facto __proto__ use
> [[DefineOwnProperty]] per ES5 to make '__proto__' in 'var o = {__proto__:
> "haha"}' an own data property shadowing Object.prototype.__proto__.
>
> Anything else (some variation on de-facto __proto__ that uses a magic
> per-object hidden [[DefineOwnProperty]], e.g.) breaks ES5.
>
> /be
>
> ______________________________**_________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/**listinfo/es-discuss<https://mail.mozilla.org/listinfo/es-discuss>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130421/11e50bc7/attachment.html>


More information about the es-discuss mailing list