Can you explain or support your assertion of "increased prevalence"?
On Fri, May 1, 2020, 05:51 Mike Sherov <[email protected]> wrote: > Given the increased prevalence of prototype pollution vulnerabilities in > many popular javascript libraries, is it time to reconsider the fact that > Object.assign allows for prototype pollution by default? > > I see two options: > 1. Change Object.assign to disallow PP by default. Look at real world > usages and see what would break if prototype pollution was disabled? Almost > certainly this is not a viable option, but wanted to raise it here just in > case there was appetite to do so. > 2. Introduce something like Object.safeAssign (bikeshedding aside), that > is the same as Object.assign except is safe from prototype pollution. > > The reason I think this is important is that the common advice of freezing > Object.prototype is something only the end user can do, and not something a > library can do. > > Yes, a library can also know to do its own PP fixes, but having a reified > way to avoid PP allows us to have a secure-by-default method in the > language. > > Thoughts? > > Mike Sherov > _______________________________________________ > es-discuss mailing list > [email protected] > https://mail.mozilla.org/listinfo/es-discuss >
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
