> On Feb 19, 2015, at 9:23 AM, David Bruant <bruant.d at gmail.com> wrote:
> 
> Hi,
> 
> Half a million times the following meta-exchange happened on es-discuss:
> - if an attacker modifies Object.prototype, then you're doomed in all sorts of ways
> - Don't let anyone modify it. Just do Object.freeze(Object.prototype)!

Depending on your goals you could use Object.seal. It prevents new properties from being added, but allows you to modify existing properties. From there you could selectively re-define the existing properties with Object.defineProperty and set writable:false.

Although I wouldn’t trust the browser anyway and verify everything server side.

Luke

On Feb 19, 2015, at 9:23 AM, David Bruant <bruant.d at gmail.com> wrote:

> Half a million times the following meta-exchange happened on es-discuss:
> - if an attacker modifies Object.prototype, then you're doomed in all sorts of ways
> - Don't let anyone modify it. Just do Object.freeze(Object.prototype)!

Depending on your goals you could use Object.seal. It prevents new properties from being added, but allows you to modify existing properties. From there you could selectively re-define the existing properties with Object.defineProperty and set writable:false.

Although I wouldn’t trust the browser anyway and verify everything server side.