Object.assign and __proto__ property

Andrea Giammarchi andrea.giammarchi at gmail.com
Mon Oct 21 20:26:33 PDT 2013


As sanity/integrity check, `Object.assign` should be something like this to
me ...

```javascript

for (var property in source) {
  if (Object.prototype.hasOwnProperty.call(source, key)) {
    if (key in target) {
      Object.defineProperty(
        target, key,
        Object.getOwnPropertyDescriptor(
          source, key
        )
      );
    } else {
      target[key] = source[key];
    }
  }
}

```

If this is what every dev should do in order to have a meaningful version
of current `Object.assign`, I agree with Rick that in core this could/would
be properly optimized and made faster.

Best Regards







On Mon, Oct 21, 2013 at 8:18 PM, Nathan Wall <nathan.wall at live.com> wrote:

> In reading Rick's response, I noticed my comments were rather "messy"
> themselves.  Correcting for clarity.
>
> > Given that `__proto__` is defined as an accessor on `Object.prototype`,
> > I think this should be expected. Any other setter defined on the object
> > or its prototype chain will be invoked in the same manner. It's
> > directly triggering `[[SetPrototypeOf]]`, it's just invoking the
> > `__proto__` setter which happens to trigger `[[SetPrototypeOf]]`.
>
> Should say "It's **not** directly triggering `[[SetPrototypeOf]]`..."
>
>
> > Plus, there's no reason this shouldn't work:
> >
> > var info = JSON.stringify(
> > '{ "__proto__": "A description of __proto__",' +
> > '"hasOwnProperty": "A description of hasOwnProperty" }'
> > );
> >
> > var otherInfo = JSON.stringify(
> > '{ "propertyIsEnumerable": "A description of propertyIsEnumerable" }'
> > );
> >
> > Object.assign(otherInfo, info);
> > console.log(info.__proto__);
> >
>
> Should be `JSON.parse`, of course.
>
> Rick Waldron wrote:
> >> ... especially given that this `__proto__` dilemma feels "messy".
> >
> > The very last comment seems subjective, and my own subjective response
> > is that it's not "messy".
> >
>
> Although my message was objectively messy (referring to the mistakes
> above), you're right that the comment on the `__proto__` dilemma is
> subjective, but it makes some sense.  As Andrea pointed out, it may become
> common practice (at least among those who care about integrity) to want to
> leave out `__proto__` from assign-like operations, especially when the
> object to assign from comes from an unknown or (even moreso) an untrusted
> source -- the same as `hasOwnProperty` checks in `for..in`.
>
> Maybe `Object.assign` should only write the property when the object being
> written to either doesn't contain it or it's a data property?  Should it
> really invoke any setters?
>
> Too bad it's too late to bring that `__proto__` ship back to the harbor
> because that's where the real problem lies.
>
> Nathan
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20131021/d52353d9/attachment-0001.html>


More information about the es-discuss mailing list