According to the Caja paper:
Forbidden names. In Firefox, access to the "__proto__" property of an object would grant the authority to create more objects like it, which violates the principle of least authority. Therefore, Caja rejects all names ending with " __ " (double underscore). This also gives the Caja implementation a place to store its book- keeping information where it is invisible to the Caja programmer.
I tried in Firebug, just seeing all the methods __proto__
has(i.e., pkcsll, atob, btoa, screenX
etc), but I don't see a copy-type method. How is __proto__
exploited?