github at esdiscuss.org (2013-07-12T02:26:57.624Z)
V8 already poisons when getOwnPropertyDescriptor has a setter and this
setters is the `__proto__` one:
https://code.google.com/p/v8/source/browse/trunk/src/v8natives.js#390
This means V8 always throws and does not preserve the same realm, if I
understand what that means:
```js
document.body.appendChild(document.createElement('iframe'))
frames[0].Object.prototype.__proto__ = Object.prototype;
Array.prototype.__proto__ = frames[0].Array.prototype;
```
Or maybe was about cross domain security ?
I've also already landed a bug+patch for V8 so that a flag at launch time
can eventually make that setter available:
https://code.google.com/p/v8/issues/detail?id=2645
Let's see how this goes
V8 already poisons when getOwnPropertyDescriptor has a setter and this setters is the __proto__ one: https://code.google.com/p/v8/source/browse/trunk/src/v8natives.js#390 This means V8 always throws and does not preserve the same realm, if I understand what that means: document.body.appendChild(document.createElement('iframe')) frames[0].Object.prototype.__proto__ = Object.prototype; Array.prototype.__proto__ = frames[0].Array.prototype; Or maybe was about cross domain security ? I've also already landed a bug+patch for V8 so that a flag at launch time can eventually make that setter available: https://code.google.com/p/v8/issues/detail?id=2645 Let's see how this goes On Sun, Apr 21, 2013 at 11:53 AM, Brendan Eich <brendan at mozilla.com> wrote: > Allen Wirfs-Brock wrote: > >> On Apr 21, 2013, at 11:12 AM, Brendan Eich wrote: >> >> David Herman wrote: >>> >>>> On Apr 21, 2013, at 8:55 AM, Allen Wirfs-Brock<allen at wirfs-brock.**com<allen at wirfs-brock.com>> >>>> wrote: >>>> >>>> Deleting Object.prototype.__proto__ will not be be specified as >>>>> disabling {__proto__: foo}. >>>>> >>>> Was that what we'd agreed to? >>>> >>> I think what Allen means is, whether or not there's a magic >>> Object.prototype.__proto__, you can >>> >> > Note "can" here. > > > define (as in [[DefineOwnProperty]]) a plain old data property (or an >>> accessor, for that matter, just different syntax) whose name is '__proto__' >>> in an object literal. >>> >> >> No, see the spec. strawman I posted. >> >> What I mean is that: >> let obj = {__proto__: null} >> will always create an object whose [[Prototype]] is null. Regardless of >> whether or not anybody has done: >> delete Object.prototype.__proto__. >> > > Yes, that's what I just wrote! > > What part was unclear? > > > There is no good reason to link the semantics of __proto__ in an object >> literal to the existence of Dunder proto on Object.prototype. The standard >> semantics of object literal properties in ES5 have no dependencies upon the >> shape of Object.prototype. >> > > We agree. > > > This is specified by ES5, already. >>> >> >> Doesn't matter because what ES5 specifies is already incompatible with >> web reality when the property name is __proto__. >> > > No. Browsers implementing ES5 and de-facto __proto__ use > [[DefineOwnProperty]] per ES5 to make '__proto__' in 'var o = {__proto__: > "haha"}' an own data property shadowing Object.prototype.__proto__. > > Anything else (some variation on de-facto __proto__ that uses a magic > per-object hidden [[DefineOwnProperty]], e.g.) breaks ES5. > > /be > > ______________________________**_________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/**listinfo/es-discuss<https://mail.mozilla.org/listinfo/es-discuss> > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130421/11e50bc7/attachment.html>