On Scope And Prototype Security

Andrea Giammarchi andrea.giammarchi at gmail.com
Tue Mar 19 16:48:16 PDT 2013


missing a) the Proxy, which is nowhere right now if not in Firefox and b)
the fact Private won't be prototypeOf instances so there's an intermediate
layer to track. The set could also reflect a setter in the prototype, a
setter that I might decide to add or swap runtime. I don't see Proxy that
flexible because I cannot decide when I want that set should do something
else if not passing through internal, runtime swapped, functions bringing
the context.

As I've said, your was the closest thing I meant so if there's no way to
obtain with new features what was possible in 1998 then I might have no
choices and opt for proxies.

I still believe private classes and the ability to make a prototype not
discoverable should be part of the language.

As example, I think is kinda weird everybody can modify the
Arguments.prototype, even if this could be used to do the most common thing
on earth: add slice to it

(function(){return
arguments.__proto__||Object.getPrototypeOf(arguments)}()).slice=[].slice;

// example
(function(){
  alert(arguments.slice(1)); // 2, 3
}(1, 2, 3));

br







On Tue, Mar 19, 2013 at 4:29 PM, Juan Ignacio Dopazo
<dopazo.juan at gmail.com>wrote:

> 2013/3/19 Andrea Giammarchi <andrea.giammarchi at gmail.com>
>
>>
>> @Juan I don't want the complexity of a Proxy, I want objects that inherit
>> from my private object so that what changes in my private object reflects
>> automatically everywhere.
>>
>
> Maybe you're misunderstanding my example. I'm not returning a proxy each
> time, I'm using a proxy as the prototype of all your instances. That way
> even though the prototype is accesible with Object.getPrototypeOf(outer),
> the untrusted party still can't do anything with it. And you can still
> modify your private object and the change is reflected everywhere.
>
> If you did understand it, then what are we missing?
>
> Juan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130319/d98398d0/attachment.html>


More information about the es-discuss mailing list