Another de-facto insecurity we need to fix in ES5

Mark Miller erights at
Tue Jun 23 18:45:38 PDT 2009

On Tue, Jun 23, 2009 at 2:42 PM, Brendan Eich <brendan at> wrote:

> On Jun 23, 2009, at 1:04 PM, David-Sarah Hopwood wrote:
>  In any case, I repeat that there is no reason to distinguish between
>> [[Prototype]] and other internal properties in this respect.
> I agree, FWIW -- I was focused on [[Prototype]] due to the __proto__
> concern.
> Still, if the intention of the proposed spec language change is to make
> sure implementations treat o.__proto__ as not writable when
> Object.freeze(o), e.g., is called, then calling out [[Prototype]] would
> increase the odds of achieving the intended goal.

Yes. For that reason I favor calling [[Prototype]] out. Iff normative text
elsewhere makes that specific explicitness redundant, then the specific
explicit statement could be a non-normative note. But, as with F.caller, the
implication needs to be normative so that conformance test suites can test
for expected violations.

> Mentioning __proto__ would increase those odds even more,

Mentioning __proto__ in a non-normative note would certainly be fine.

> but it is hard to name that horror without inducing madness (shades of
> Lovecraft ;-)).


Text by me above is hereby placed in the public domain

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es5-discuss mailing list