Thank you.
-- pesan asli --
Subjek: Re: [v8-users] Best way to protect against external JS affecting
internal JS
Dari: Toon Verwaest <verwa...@chromium.org>
Tanggal: 13-03-2013 21.23
Once we have proper symbol (private names) support, you could use that to
make your own internal API.
On Wed, Mar 13, 2013 at 2:56 PM, Michael Schwartz <myk...@gmail.com> wrote:
> Can Harmony Proxies be used to detect when the prototypes or builtins are
> being overridden?
>
> If so, you could save the original and provide a new API to fetch the
> original.
>
> On Mar 13, 2013, at 3:01 AM, Jakob Kummerow <jkumme...@chromium.org>
> wrote:
>
> On Tue, Mar 12, 2013 at 11:56 PM, Benjamin Kalman <kal...@chromium.org>wrote:
>
>> I'm on the Chrome Extensions team, and we've run into a problem where
>> extensions override Array.prototype.forEach in a way that breaks our
>> internal JS.
>>
>> A workaround we've done is to write our own forEach method, but this
>> problem is widespread - extensions also override JSON,
>> document.createElement, etc - the vector for accidental breakage is as
>> widespread as all of the JS and DOM libraries.
>>
>
> Welcome to JavaScript! Have you considered using a language with a sane
> specification?
>
>
>> What is the best way to protect against this in a general way?
>>
>
> There is none. Being able to monkey-patch everything is a "feature" of the
> language. Fun fact: some properties are read-only, so they can be relied
> upon. Or can they?
> > Math.PI
> 3.141592653589793
> > Math.PI = 4
> > Math.PI
> 3.141592653589793
> > Math = {PI: 4}
> > Math.PI
> 4
>
>
>> The only safe thing I can think of is to run all our code in a separate
>> context, but I've been told that creating contexts is an expensive
>> operation. How expensive?
>>
>
> Have you tried benchmarking it? If you can't measure it, it's not
> important. If you can, you'll have data to help decide whether the
> difference is a problem in your use case or not.
>
>
>> Alternatively, apparently v8 has solved this problem internally by
>> guaranteeing that it's running the builtin libraries - is/can this be
>> exposed?
>>
>
> Sorry, no.
> You can lobby for an official way to retrieve the original unpatched
> implementations to be included in ECMAScript 7. The general problem with
> introducing sanity, however, is that you can't break existing code, which
> basically means that all the good stuff has to be opt-in, which in turn
> means that the original problem doesn't just go away, instead you'll still
> have to support it until it slowly dies out, if ever.
>
> Crazy idea: how about a rule for the Chrome web store that forbids
> monkey-patching builtins? :-)
>
>
>> Cheers,
>> Ben.
>>
>> --
>> --
>> v8-users mailing list
>> v8-users@googlegroups.com
>> http://groups.google.com/group/v8-users
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "v8-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to v8-users+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>>
>
>
> --
> --
> v8-users mailing list
> v8-users@googlegroups.com
> http://groups.google.com/group/v8-users
> ---
> You received this message because you are subscribed to the Google Groups
> "v8-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to v8-users+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
> --
> --
> v8-users mailing list
> v8-users@googlegroups.com
> http://groups.google.com/group/v8-users
> ---
> You received this message because you are subscribed to the Google Groups
> "v8-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to v8-users+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
--
v8-users mailing list
v8-users@googlegroups.com
http://groups.google.com/group/v8-users
---
You received this message because you are subscribed to the Google Groups
"v8-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
--
v8-users mailing list
v8-users@googlegroups.com
http://groups.google.com/group/v8-users
---
You received this message because you are subscribed to the Google Groups
"v8-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
