Another de-facto insecurity we need to fix in ES5

Mark Miller erights at gmail.com
Tue Jun 23 18:45:38 PDT 2009


On Tue, Jun 23, 2009 at 2:42 PM, Brendan Eich <brendan at mozilla.org> wrote:

> On Jun 23, 2009, at 1:04 PM, David-Sarah Hopwood wrote:
>
>  In any case, I repeat that there is no reason to distinguish between
>> [[Prototype]] and other internal properties in this respect.
>>
>
> I agree, FWIW -- I was focused on [[Prototype]] due to the __proto__
> concern.
>
> Still, if the intention of the proposed spec language change is to make
> sure implementations treat o.__proto__ as not writable when
> Object.freeze(o), e.g., is called, then calling out [[Prototype]] would
> increase the odds of achieving the intended goal.
>

Yes. For that reason I favor calling [[Prototype]] out. Iff normative text
elsewhere makes that specific explicitness redundant, then the specific
explicit statement could be a non-normative note. But, as with F.caller, the
implication needs to be normative so that conformance test suites can test
for expected violations.


> Mentioning __proto__ would increase those odds even more,


Mentioning __proto__ in a non-normative note would certainly be fine.


> but it is hard to name that horror without inducing madness (shades of
> Lovecraft ;-)).
>

;)

-- 
Text by me above is hereby placed in the public domain

   Cheers,
   --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es5-discuss/attachments/20090623/0f104e92/attachment.html>


More information about the es5-discuss mailing list