@@toStringTag spoofing for null and undefined

Allen Wirfs-Brock allen at wirfs-brock.com
Mon Jan 19 16:47:09 PST 2015

On Jan 19, 2015, at 2:59 PM, Nicholas C. Zakas wrote:

> According to Object.prototype.toString() [1], it's possible to do this:
> ```js
> function Foo(){}
> Foo.prototype[Symbol.toStringTag] = "Null";
> Object.prototype.toString.call(new Foo());   // "[object Null]"
> ```
> It seems like `"Null"` and `"Undefined"` should be added to the step 17(b) list of exceptions to prevent spoofing of null and undefined values using this approach.
> I couldn't think of a reason why the current behavior would make sense, but if I'm off base, feel free to correct me. :)
> [1]: https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.prototype.tostring

Let's be clear, the legacy usage we are trying to preserve is specifically detecting whether an object is one of those than in ES5 would of had a [[Class]] value that was one of "Function", "Array", "RegExp", "Date", "Arguments", "Error", "String", "Number",  "Boolean".

In ES<=5, O.p.toString just reported, an object's [[Class]] value and no object created using a JS level constructor could have those specific [[Class]] values.  So O.P.toString worked as a brand check for those specific built-in object representations.

We can't know everything JS programmers might have used that brand check for, so we need to preserve that O.p.toString behavior for those specific built-ins.  Part of the behavior we want to preserve is that only the implementation provided built-ins could eturn those specific values via O.p.toString (this was a requirement  introduced by ES5).   The spoofing protection is design to preserve that requirement.

"null" and "undefined" were never [[Class]] values.  And where actually introduced into O.p.toString by ES5.1 to fix a specific problem that was discovered after ES5 was completed(see threads starting at https://mail.mozilla.org/pipermail/es5-discuss/2010-June/003581.html and https://mail.mozilla.org/pipermail/es5-discuss/2010-June/003585.html ). 

I find it a stretch to believe that anyone is depending upon using O.p.toString as a non-spoofable brand check for null or undefined.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20150119/d93d189d/attachment.html>

More information about the es-discuss mailing list