<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Object.prototype.__proto__ getter still provides access to WindowProxy"

   href="https://bugs.webkit.org/show_bug.cgi?id=159756">159756</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Object.prototype.__proto__ getter still provides access to WindowProxy

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>JavaScriptCore

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>erights&#64;gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Re <a class="bz_bug_link 

          bz_status_REOPENED "

   title="REOPENED"

   href="show_bug.cgi?id=141865">https://bugs.webkit.org/show_bug.cgi?id=141865</a> , the underlying problem remains. At <a class="bz_bug_link 

          bz_status_REOPENED "

   title="REOPENED"

   href="show_bug.cgi?id=141865#c11">https://bugs.webkit.org/show_bug.cgi?id=141865#c11</a> I write:

The more interesting case is:

<span class="quote">&gt;&gt;&gt; (function(){'use strict'; var g = Object.getOwnPropertyDescriptor(Object.prototype, '__proto__').get; return g();})();</span >

so that g is obtained from a local environment record rather than the global one. On this, FF Nightly 50.0a1 (2016-07-13) correctly throws

TypeError: get __proto__ method called on incompatible undefined

whereas Webkit Nightly 9.1.1 (11601.6.17, r203190) returns the WindowPrototype, which is just as dangerous as ever.

At <a class="bz_bug_link 

          bz_status_REOPENED "

   title="REOPENED"

   href="show_bug.cgi?id=141865#c9">https://bugs.webkit.org/show_bug.cgi?id=141865#c9</a> Brent asked me to open a new bug if this is still a problem. Hence this new bug.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>