Another de-facto insecurity we need to fix in ES5

David-Sarah Hopwood david-sarah at jacaranda.org
Fri Jun 19 12:21:07 PDT 2009


Allen Wirfs-Brock wrote:
>> -----Original Message-----
>> From: Brendan Eich [mailto:brendan at mozilla.com]
>>
>>> BTW, I haven't yet perceived that we have consensus on putting this
>>> into ES5.  My interpretation of  Brendan's initial comments on the
>>> matter was that he was opposed to it for ES5.  (I'm sure he'll let
>>> us know whether or not that is correct).
>>
>> It's late in the game, but a sentence about [[Prototype]] seems
>> doable. I defer to you on this, since you're Editor and it'll fall
>> upon you to draft the change.
> 
> OK, I'll put it in.

I don't understand -- why just [[Prototype]], and not all internal
properties? Mutating any other internal property (such as [[Get]]
or [[Put]], for instance) would also clearly violate the intent.

The existing draft already precludes any modification of __proto__ after
Object.freeze. That's because __proto__ is an own property. The oversight
is that internal properties are not own properties (I think).

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com



More information about the es5-discuss mailing list