Home/ Questions/Q 6018603
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T03:17:56+00:00

am I right to say that an instance of a function object is immutable

  • 0

am I right to say that an instance of a function object is immutable since there’s no way we could modify a function once its created?

Anyway, to rephrase my question:

  var f1=function(){
        return true;
    }

    //Now i pass **f1** into the function **G**, storing it to **g1**
    function G(f){
    return function(){
            return f();
    }
    }
    var g1=G(f1);

    //I will try to hack/do anything i can to **f1**
    //Now i will pass f1 to hacked piece of injection code which (assumingly) will try to hack f1


    g1(); // but I can be 100% sure this will still return me true

So now can I be sure that no matter what I do to f1, g1() will Forever return me true ?

Despite being interested in browsers with at least 0.5% of the internet users market share: I welcome answers that goes along the lines of “in [x] browser this is not safe because..”

I am aware that since the code is run at the client, if the client has a malicious intent he will be able to do whatever he want.. But this question is specifically targeted at protecting “users who do not have malicious intents”, in other words.. a normal user (if the user is a hacker than i don’t mind letting him mess with the functions anyway he wants since he’d get all the exceptions thrown in his face and that’s none of my business)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You cannot stop the variable g1 from being reassigned on all browsers. Some browsers would allow you to define g1 as a constant thus:

    const g1 = G(f1);

    which would prevent the name g1 from being rebound, and you can use Object.defineProperty to define a read-only global property of window on others, but in general, there are no const definitions in JavaScript.

    To make it clearer, consider two scenarios:

    (1) An attacker can run code in the scope in which f1 is declared, and then other code reads f1.

    var f1 = ...;   // You define f1
f1 = function () { return false; };  // Attacker code runs
doSomethingWith(f1());  // Naive code reads f1 and calls it.

    The attacker succeeds in this case in confusing the naive code because they changed the value at f1.

    (2) An attacker runs code in the scope after f1 has been read.

    var f1 = ...;  // You define f1
// Cautious code reads and stores f1 in a safe place for later use.
(function () {
  var f = f1;
  setTimeout(0, function () { doSomethingWith(f()); });
})();
f1 = function () { return false; };  // Attacker code runs.

    The attacker fails in this case because the cautious code read the value of f1 before the attacker changed the value stored at f1, so the private f continues to return true.

    • 0