Security Demands Simplicity (was: Private Slots)

David Bruant bruant.d at
Sun Jan 20 06:37:30 PST 2013

Le 20/01/2013 06:36, Kevin Smith a écrit :
>     It is not. At the exit of the get trap, the JS engine checks
>     whether invariants should be enforced for the given property on
>     the target. In your case, the runtime sees that the target has a
>     non-configurable non-writable property called 'foo' with 1 as
>     value. When you try to return 0, it will throw a TypeError because
>     of invariant violation. You can read about invariants at
> Excellent - thanks for the link!  One more:  What is the reason for 
> not providing an API for unwrapping a proxy (e.g. your 
> proxyToFinalTarget)?
If anyone can unwrap proxies, then the security benefits they provide 
are virtually non-existent akin to the Reflect API in Java.
It's possible to implement such a function yourself and expose it for 
some of your proxies, but it should be an opt-in, not something 
available by default to everyone in the language.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list