Yes, only own properties are taken into account.
I think there might be some open issues related to __proto__ depending on
whether it ends up being an accessor or magic data property in the end.
On Aug 17, 2012 6:04 AM, "Andrea Giammarchi" <andrea.giammar...@gmail.com>
wrote:
> As far as I can tell, Object.observe(obj) create a notifier in the obj
> itself which means, after that, if you Object.prototype.whatever = 123; the
> obj notifier *won't* fire since it's not its own property and I do hope
> this works with own properties only otherwise not only we can have
> hijacking attacks but tremendous performance impact ( if a notifier has to
> automatically create a notifier up to the proto chain until the null
> prototype ... a non-sense, imho )
>
> On Fri, Aug 17, 2012 at 11:01 AM, gaz Heyes <gazhe...@gmail.com> wrote:
>
>> On 17 August 2012 10:57, Andrea Giammarchi
>> <andrea.giammar...@gmail.com>wrote:
>>
>>> the Notifier is lazily instantiated and I believe not enumerable so
>>> JSON.stringify should ever expose this property.
>>>
>>> Moreover, it does not look like there is a {}.__notifier__ property
>>> anywhere, Object.getNotifier(obj) is required indeed so a WeakMap that
>>> relates the obj, and its notifier, cannot be serialized in a meaningful way
>>> via JSON.stringify neither.
>>>
>>
>> Ah no I wasn't talking about the JSON object but remotely hacking JSON
>> feeds themselves using external scripts and hijacking the Object prototype
>> with Observe.
>>
>
>
> _______________________________________________
> es-discuss mailing list
> es-discuss@mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
>
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
