On Scope And Prototype Security
brendan at mozilla.com
Tue Mar 19 13:41:17 PDT 2013
Andrea Giammarchi wrote:
> so is __parent__ ... in the Mozilla world, not in every browser.
That's irrelevant and also it was never writable.
> So your point is that __proto__ is a good thing I guess, I thought it
> was rather a mistake.
I didn't say that. I just said it is old.
> Moreover, I am talking about the standard Object.getPrototypeOf()
> which has been introduced recently, not in 1998, and there's no
> mechanism to prevent it to return the prototype.
SES and similar "prepared environment" dialects can and do handle things
like Object.getPrototypeOf (and __proto__).
> I understand now security is highly subjective here and private
> classes should not exist in a programming language.
No one said private classes should not exist. David mentioned traits.
ES5 provides tools for high-integrity abstractions. See
> Again, **good to know**
> On Tue, Mar 19, 2013 at 1:13 PM, Brendan Eich <brendan at mozilla.com
> <mailto:brendan at mozilla.com>> wrote:
> Andrea Giammarchi wrote:
> It is not possible to secure or make a class hidden, it was
> possible before the introduction of __proto__ and
> Object.getPrototypeOf in ES3, now this is gone, and this was
> my security concern.
> Again, it was possible, now it's not possible anymore.
> By "anymore" you mean since 1998 or so? __proto__ is very old.
More information about the es-discuss