When an object is given a transparent wrapper, the prototype is wrapped and copied into the wrapper object. That means that if the prototype of the wrappee is updated, the update will not be reflected in the wrapper. I don't yet know if this is a real problem and, since __proto__ is non-standard (esp. being able to mutate it), I'd be inclined to wait and see. (cpg of course makes this change visible to the web, so filing to give people a heads up.) Should we need to fix this, there is a relatively straightforward solution of, when __proto__ is set, looking up the object in all cross-compartment wrapper maps and updating any wrappers found. This is gnarly and best avoided.

Shell example: var g = newGlobal('new-compartment'); g.eval('var x = new Object()'); var x = g.x; var xpro = Object.getPrototypeOf(x); assertEq(xpro, g.Object.prototype); g.eval('x.__proto__ = null'); assertEq(Object.getPrototypeOf(x) === null, true); // fails assertEq(Object.getPrototypeOf(x) !== xpro, false); // fails

To wit: __proto__ works, thus, extending the test-case in comment, this assertion also fails: assertEq(Object.getPrototypeOf(x) === x.__proto__, true); // fails The reason is that __proto__ is just a property lookup which enters x's compartment which finds the live value of x.__proto__. On the bright side, if code is using non-standard __proto__ to set __proto__, they can just read __proto__ to get the correct value. I think the real fix to this is to never read a wrapper's prototype field (make it null or something).

This doesn't seem to be an issue anymore, resolving as WFM.