@@toStringTag spoofing for null and undefined

Mark Miller erights at gmail.com
Sat Jan 24 14:59:52 PST 2015


Put better, the spec requires that Object.freeze(Object.prototype) works.


On Sat, Jan 24, 2015 at 2:57 PM, Mark Miller <erights at gmail.com> wrote:

>
>
> On Sat, Jan 24, 2015 at 2:42 PM, Isiah Meadows <impinball at gmail.com>
> wrote:
>
>> > From: "Mark S. Miller" <erights at google.com>
>> > To: Gary Guo <nbdd0121 at hotmail.com>
>> > Cc: "es-discuss at mozilla.org" <es-discuss at mozilla.org>
>> > Date: Sat, 24 Jan 2015 07:11:35 -0800
>> > Subject: Re: @@toStringTag spoofing for null and undefined
>> > Of course it can, by tamper proofing (essentially, freezing)
>> Object.prototype. None of these protections are relevant anyway in an
>> environment in which the primordials are not locked down.
>>
>> Yeah, pretty much. That proverbial inch was given a long time ago. And
>> the proverbial mile taken. And I highly doubt the spec is going to require
>> `Object.freeze(Object.prototype)`,
>>
> Of course not. The key is the spec allows it. SES makes use of that.
>
>
>
>
>
>> since that prohibits future polyfills and prolyfills of the Object
>> prototype. Also, you could always straight up overwrite it, but that's even
>> harder to protect against. (And how many cases do you know of literally
>> overwriting built-in prototypes?)
>>
>> Or, to throw out an analog to Java, it is perfectly possible to call or
>> even override a private method through reflection. JavaScript simply has
>> more accessible reflection, more often useful since it's a more dynamic
>> prototype-based OO language as opposed to a stricter class-based language.
>>
>> >
>> > On Sat, Jan 24, 2015 at 6:11 AM, Gary Guo <nbdd0121 at hotmail.com> wrote:
>> >>
>> >> Now I have a tendency to support the suggestion that cuts the
>> anti-spoofing part. If coder wants to make an object and pretend it's a
>> built-in, let it be. The anti-spoofing algorithm could not prevent this
>> case:
>> >> ```
>> >> Object.prototype.toString = function(){
>> >>   return '[object I_Can_Be_Anything]';
>> >> }
>> >> ```
>> >>
>>
>> Or this:
>> ```js
>> function handler() {
>>   throw new Error("No prototype for you!");
>> }
>>
>> Object.defineProperty(
>>   Object,
>>   'prototype',
>>   {
>>     get: handler,
>>     set: handler,
>>     enumerable: true
>>   });
>> ```
>>
>> Me thinks this isn't going to get "fixed".
>>
>> >> _______________________________________________
>> >> es-discuss mailing list
>> >> es-discuss at mozilla.org
>> >> https://mail.mozilla.org/listinfo/es-discuss
>> >>
>> >
>> >
>> >
>> > --
>> >     Cheers,
>> >     --MarkM
>> >
>> >
>>
>> _______________________________________________
>> es-discuss mailing list
>> es-discuss at mozilla.org
>> https://mail.mozilla.org/listinfo/es-discuss
>>
>>
>
>
> --
> Text by me above is hereby placed in the public domain
>
>   Cheers,
>   --MarkM
>



-- 
Text by me above is hereby placed in the public domain

  Cheers,
  --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20150124/8a96ed87/attachment-0001.html>


More information about the es-discuss mailing list