Making operations on property descriptors more robust against Object.prototype hazards

Claude Pache claude.pache at gmail.com
Mon Sep 15 09:03:03 PDT 2014


Le 14 sept. 2014 à 01:58, Mark S. Miller <erights at google.com> a écrit :

> +1
> 
> Adding string-named properties to Object.prototype will create all sorts of hazards. The only way to avoid such hazards is not to do that. We do not need to pervert other APIs to make this fatally bad practice slightly less fatal.
> 
> If you want to actually defend against such hazards rather than blindly trusting all you code not to add properties to Object.prototype, do
> 
>     Object.preventExtensions(Object.prototype);
> 
> However, this will also prevent the addition of symbol-named properties, which are still problematic but much less so.
> 

Yes, and it would be nice to have more fine-grained methods than Object.preventExtensions. For example:

	Object.forbidProperties(Object.prototype, ['value', 'writable', 'get', 'set', 'configurable', 'enumerable'])
	
	Object.forbidNumericalProperties(Array.prototype)

This could be experimented with proxies... although it will be easy to circumvent the proxy by using  `Object.getPrototypeOf({})` instead of `Object.prototype`, unless we monkey-patch `Object.getPrototypeOf`, `Object.prototype.__proto__`, `Reflect.getPrototypeOf`...

―Claude


More information about the es-discuss mailing list