Making operations on property descriptors more robust against Object.prototype hazards

Andrea Giammarchi andrea.giammarchi at gmail.com
Mon Sep 15 09:24:25 PDT 2014


not a bad idea, here something to play with:

```js
Object.forbidProperties = (function(descriptor){
  function makeForbidden(property) {
    Object.defineProperty(this, property, descriptor);
  }
  descriptor.get = function () {
    return void 0;
  };
  descriptor.set = function (value) {
    throw new Error('unable to set: ' + value);
  };
  descriptor.enumerable = false;
  descriptor.configurable = false;
  return function forbidProperties(obj, properties) {
    properties.forEach(makeForbidden, obj);
    return obj;
  };
}(Object.create(null)));
```

makes this possible:

```js
Object.forbidProperties(Object.prototype, ['value', 'writable', 'get',
'set', 'configurable', 'enumerable']);
```

although all those will show up through `getOwnPropertyNames` ... slightly
bummer

Regards



On Mon, Sep 15, 2014 at 5:03 PM, Claude Pache <claude.pache at gmail.com>
wrote:

>
> Le 14 sept. 2014 à 01:58, Mark S. Miller <erights at google.com> a écrit :
>
> > +1
> >
> > Adding string-named properties to Object.prototype will create all sorts
> of hazards. The only way to avoid such hazards is not to do that. We do not
> need to pervert other APIs to make this fatally bad practice slightly less
> fatal.
> >
> > If you want to actually defend against such hazards rather than blindly
> trusting all you code not to add properties to Object.prototype, do
> >
> >     Object.preventExtensions(Object.prototype);
> >
> > However, this will also prevent the addition of symbol-named properties,
> which are still problematic but much less so.
> >
>
> Yes, and it would be nice to have more fine-grained methods than
> Object.preventExtensions. For example:
>
>         Object.forbidProperties(Object.prototype, ['value', 'writable',
> 'get', 'set', 'configurable', 'enumerable'])
>
>         Object.forbidNumericalProperties(Array.prototype)
>
> This could be experimented with proxies... although it will be easy to
> circumvent the proxy by using  `Object.getPrototypeOf({})` instead of
> `Object.prototype`, unless we monkey-patch `Object.getPrototypeOf`,
> `Object.prototype.__proto__`, `Reflect.getPrototypeOf`...
>
> ―Claude
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140915/5ed67e12/attachment.html>


More information about the es-discuss mailing list