On Scope And Prototype Security

Andrea Giammarchi andrea.giammarchi at gmail.com
Tue Mar 19 17:17:59 PDT 2013


on this example
(function(){return arguments.__proto__||Object.
getPrototypeOf(arguments)}()).slice=[].slice;

turned out Arguments is, as example, an hidden class, since
arguments.__proto__ is Object.prototype ^__^

(function(){
  alert(Object.getPrototypeOf(arguments) === Object.prototype);
}());

but [[Class]] of arguments is Arguments

so this is exactly what I meant ... finally I found the perfect example:
Arguments ... the class is unreachable, all instances can be manipulated,
theoretically, behind the scene to throw, retrieve, or do, whatever.

Rick ... maybe ES7 is better than "NO" or "use something else this is not a
problem", thanks



On Tue, Mar 19, 2013 at 5:03 PM, Rick Waldron <waldron.rick at gmail.com>wrote:

>
>
> On Tuesday, March 19, 2013, Andrea Giammarchi wrote:
>
>> oh dear ... even the example did not explain ... how can that be ?
>>
>> @Rick is not because of my alzheimer that I did **not** freeze the
>> private object. I want to manipulate that because that's my object
>>
>
> This wasn't specified in your example code and comments.
>
>
>> and I want to expose objects that inherits from it without giving anyone
>> the possibility to reach my private, own, object!
>>
>
>> I don't want to be able to freeze the object, I don't want anyone "out
>> there" to even reach it ... via __proto__ or getPrototypeOf, got it?
>>
>
> Yes, I "got it". Time machines are out of scope for ES6, maybe ES7?
>
> Rick
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130319/04503e28/attachment-0001.html>


More information about the es-discuss mailing list