On Scope And Prototype Security

Claus Reinke claus.reinke at talk21.com
Tue Mar 19 15:08:24 PDT 2013

> var public = (function(){
>  var private = {
>  };
>  return Object.freeze(
>    Object.create(private)
>  );
> }());
> // why I cannot avoid this? I'd **LOVE** to!
> Object.getPrototypeOf(public).test = 123;
> alert(public.test); // 123

At first, I thought you were right - __proto__ is an object property,
so there should be a way to turn it into a private property (assuming
ES6 will have such).

Then I thought, it would have to be protected, not private - if I extend
the prototype chain further down, I should still be able to go up 
through this __proto__ here, right?

My current thinking is still different: __proto__ is *not* a normal
object property, it is an implementation shorthand for extending
an object. If we were to copy all the methods from the prototype
chain into a single "class" object, that would serve the same 
purpose, the __proto__ links just save space.

In other words, you want to protect/make private the properties 
of the objects that __proto__ points to, and those objects themselves, 
not the __proto__ link.

For that purpose, a deep chain freeze, following the prototype chain,
and freezing all objects in it, would be less confusing/error prone 
than the shallow Object.freeze we have. Apart from the fact that
sharing of objects in the chain might freeze someone else's prototypes.


More information about the es-discuss mailing list