On Scope And Prototype Security
bruant.d at gmail.com
Sun Mar 17 10:37:38 PDT 2013
Le 17/03/2013 18:09, Andrea Giammarchi a écrit :
> My concern is about being unable to let "anyone" retrieve that
> property, for introspection or to pollute it or change it being able
> to make my private constructor insecure.
> In the example there but in other situation I cannot freeze the
> prototype and yet I cannot hide it from outside in a meaningful way.
I see. I understand better why you change Private.prototype.init in the
A solution here would be to have a single function starting with
"if(domReady)" is which "domReady" is a boolean which value changes at
the 'DOMContentLoaded' event.
I won't pretend it's a perfect solution, but it works.
A sufficiently smart interpreter could notice that the domReady value is
never set to true after it's moved to false, so could remove the test
(but I can already hear Andreas Rossberg about my over-optimism of what
JIT-compilers do in practice :-) )
> AFAICT it looks like "just introspection" for something able to make
> private classes basically impossible is not a security concern so
> thanks for your answer, now I know there's no way to have that
> behavior now, neither tomorrow (so, long story short: good to know)
I'd like you to express more formally what property you're trying to
defend. My understanding is the following:
You have a constructor (and its .prototype property). You want to be
able to change properties of the .prototype at any point in time, while
providing instances generated by the constructor to some mixed trusted code.
Expressed this way, one can notice that giving access to an instance
implies giving access to the full [[Prototype]] chain (because of
Object.getPrototypeOf and __proto__ in browsers supporting that), so
anyone with access to an instance has access to the objects that are
kept mutable, making the problem unsolvable.
In my opinion, the issue is not in allowing access to [[Prototype]] but
in expecting everything to be always mutable.
Other than the "if(boolean)" solution above, a different solution could
A different (but admittedly complex and too heavy for the problem at
hand) solution could involve putting a proxy as .prototype. This proxy
doesn't allow mutation (throw on set trap or whatever), but whoever has
access to the underlying target (which can be kept private) can still
My point is that access to the prototype chain isn't an insecurity in
More information about the es-discuss