Re: Jan 18 meeting notes

Wed, 18 Jan 2012 21:44:26 -0800 

Waldemar Horwat <mailto:walde...@google.com>
January 18, 2012 5:27 PM
My rough notes from today's meeting.


Thanks yet again for these.
Use __proto__ in object literals to do a put (assuming that a __proto__ getter/setter was created in Object.prototype) instead of a defineProperty? All modes or only nonstrict mode? Allen: Make such use of __proto__ to be a synonym for <|. If a <| is already present, it's an error. 
DaveH: __proto__ is ugly.  Don't want it in the language forever.
Waldemar: What about indirect [] expressions that evaluate to "__proto__"? In Firefox they evaluate to accesses that climb the prototype chain and usually reach a magic getter/setter-that-isn't-a-getter-setter named __proto__ that sits on Object.prototype. MarkM: Likes the ability to delete __proto__ setter and thereby prevent anything in the frame from mutating prototypes. 
Waldemar: How do you guard against cross-frame prototype mutations?
DaveH: __proto__ is in the "omg, what were we thinking" category.
Waldemar: Opposed to making __proto__ mutate prototypes other than at object construction. This is getting insanely complex. 
Unresolved.
One point not recorded here: given MarkM's argument for Object.prototype.__proto__ as the one property to delete to remove this old beast, what kind of property does that appear to be to ES5's Object.getOwnPropertyDescriptor? Arguments pro and con for data property (as it appears to be in SpiderMonkey) vs. accessor (JSC intended to move to that from its hardcoded magic id handling in Get and Put code).
Argument for data property facade: an accessor allows extracting the setter from the property descriptor, call it stolen__proto__setter. Then if one makes an object with a bespoke proto-object but not delegating to Object.prototype: 

  var o = { __proto__: Object.create(null) };
an attacker could mutate o's [[Prototype]] via stolen__proto__setter.call(o, evil_proto). This is not possible if Object.prototype.__proto__ reflects as a data property, because o's two-level proto chain is cut off from Object.prototype, so no further means of updating [[Prototype]] is available. 

/be
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss

Reply via email to