On Scope And Prototype Security

David Bruant bruant.d at gmail.com
Sun Mar 17 10:37:38 PDT 2013


Le 17/03/2013 18:09, Andrea Giammarchi a écrit :
> My concern is about being unable to let "anyone" retrieve that 
> property, for introspection or to pollute it or change it being able 
> to make my private constructor insecure.
> In the example there but in other situation I cannot freeze the 
> prototype and yet I cannot hide it from outside in a meaningful way.
I see. I understand better why you change Private.prototype.init in the 
middle.
A solution here would be to have a single function starting with 
"if(domReady)" is which "domReady" is a boolean which value changes at 
the 'DOMContentLoaded' event.
I won't pretend it's a perfect solution, but it works.
A sufficiently smart interpreter could notice that the domReady value is 
never set to true after it's moved to false, so could remove the test 
(but I can already hear Andreas Rossberg about my over-optimism of what 
JIT-compilers do in practice :-) )

> AFAICT it looks like "just introspection" for something able to make 
> private classes basically impossible is not a security concern so 
> thanks for your answer, now I know there's no way to have that 
> behavior now, neither tomorrow (so, long story short: good to know)
I'd like you to express more formally what property you're trying to 
defend. My understanding is the following:
You have a constructor (and its .prototype property). You want to be 
able to change properties of the .prototype at any point in time, while 
providing instances generated by the constructor to some mixed trusted code.

Expressed this way, one can notice that giving access to an instance 
implies giving access to the full [[Prototype]] chain (because of 
Object.getPrototypeOf and __proto__ in browsers supporting that), so 
anyone with access to an instance has access to the objects that are 
kept mutable, making the problem unsolvable.

In my opinion, the issue is not in allowing access to [[Prototype]] but 
in expecting everything to be always mutable.


Other than the "if(boolean)" solution above, a different solution could 
involve mixins.

A different (but admittedly complex and too heavy for the problem at 
hand) solution could involve putting a proxy as .prototype. This proxy 
doesn't allow mutation (throw on set trap or whatever), but whoever has 
access to the underlying target (which can be kept private) can still 
modify it.

My point is that access to the prototype chain isn't an insecurity in 
essence.

David


More information about the es-discuss mailing list