Subj : Re: How do you make an object's property const? To : Celso Aguiar From : Brendan Eich Date : Wed May 12 2004 08:05 pm Celso Aguiar wrote: > Brendan Eich wrote in message news:<40A026C5.805@meer.net>... > >>That's the only way today. You might hack a makeConst native helper >>function that anyone can call to make a non-const property const. I'm >>not sure that an evil script in a mixed-trust setting could not abuse >>it, but I can't think of an attack right now. > > > As you mentioned security, would a mechanism for notifying clients of > object/variables replacement be something useful/feasible, say, for > 2.0? > Object/function replacement is evidently an asset in JS, but it does > introduce security issues which are very hard to track down and plug. > With such callback mechanism, clients would at least be able to decide > which replacements should be allowed to go through. JS2 makes it possible to hide information and prevent access. So you wouldn't really need to leave things open to attack, then try to save the day at the last second, so to speak. If you want to intercept an attempt to set something, and check whether it should be allowed, you're probably dealing with a JS1 world. In that case, people today use native embedding APIs such as SpiderMonkey's JS API to watch or handle gets and sets, but there's no "meta-object protocol" in JS1 by which you can do such things using JS1. A MOP for JS2 would be interesting, but would frustrate a lot of the optimization possibilities, and is not included in ECMA Edition 4 for that reason. > Great to hear 2.0 is on the move. I was at Waldemar's talk a couple of > weeks ago, and was very impressed with the new possibilities. As he > said: > "better over-design now than be sorry later". Where was that talk? I missed it. /be .