CODEWITHSUNDEEP
javascriptecmascript-5
Brad Dwyer
Brad Dwyer

Reputation: 6494

What good are Object.freeze and Object.seal if they can be overwritten?

I'm wondering why ECMA5's Object.freeze and Object.seal are not themselves frozen.

Are they not useless if you can just run this at the top of the page:

Object.freeze = function() {};
Object.seal = function() {};

In my tests this completely negates their use since you can't rely on their functionality.

Upvotes: 2

Views: 449

Answers (2)

Guffa
Guffa

Reputation: 700372

They are useful for protecting the code from itself, not for protecting it from malicious code.

You can use them to minimise the damage that an error in your own code can do. In some ways this can be seen as a step closer to the encapsulation that is available in object oriented languages.

You can't use those methods to protect your code against various attacks. You can use them to make it somewhat harder to manipulate the code, but there are too many ways around them to offer something that you can call protection.

Upvotes: 1

matts
matts

Reputation: 6897

freeze and seal are one part of protecting your code when you will be running untrusted code, and they are useful when you control the runtime environment. You need to freeze or seal objects before handing them to the untrusted code.

For instance, if you had a site where a user could submit code to control a robot, you would freeze the robot object, then pass it to the user's uploaded code. It wouldn't matter at that point if the user tried to overwrite freeze or seal. You wouldn't let user code execute before you had set up your environment and frozen the objects though.

Upvotes: 2

Related Questions