Object.unfreeze, or similar API

Jordan Harband ljharb at gmail.com
Tue Feb 20 06:22:57 UTC 2018

The entire purpose of Object.freeze is that the frozen object *can never be
altered again* (in the ways that freeze restricts, at least). Allowing an
object to be unfrozen would violate that very critical security property.

The same is true with seal and preventExtensions. Once locked down, an
object *must not* be unlockable.

On Mon, Feb 19, 2018 at 12:35 PM, Oriol _ <oriol-bugzilla at hotmail.com>

> > So, what if there was a way to unfreeze an object in the scope in which
> the object was frozen?
> I don't think the behavior of object operations should depend on the scope
> in which they are used.
> And I could understand undoing [[PreventExtensions]], just switch
> [[Extensible]] back to true (for ordinary objects). But unfreezing makes no
> sense. How is ES supposed to know which properties became non-configurable
> because of `Object.freeze` and which ones were manually defined as
> non-configurable? Do you want all non-configurable properties to become
> configurable when "unfreezing"? I think that would be bad.
> > // recommend all listeners to be synchronous, and not modify the payload
> later
> You can recommend, but what if they are not synchronous? They will have a
> reference to the unfrozen object! If you trust them, you can avoid freezing
> in the first place. If you can't trust them, unfreezing is a big problem!
> Frankly I don't see the point, if you don't want to clone just use a proxy
> that only allows restricted access.
> ```js
> let error = () => { throw new Error(); };
> let allowed = ["get", "ownKeys", "has", "getOwnPropertyDescriptor"];
> let handler = new Proxy(Object.create(null), {
>   get(_, trap, receiver) {
>     if (!allowed.includes(trap)) return error;
>   }
> });
> this.emit('some:event', new Proxy(obj, handler));
> ```
> -- Oriol
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20180219/929860ae/attachment.html>

More information about the es-discuss mailing list