Allow Javascript Extension (Just Not Overwriting)

[amark]

It obviously makes security sense to prevent

Object.keys

From being replaced.

But, SES also prevents me from polyfilling Object.keys if it doesn't exist. (Ah, SES doesn't work in older browsers, I'm assuming? That's not my fault tho as a library dev.)

Please allow for things to be extended. In your proxy you can just (pseudocode) check for:

if(target[key]){ return throw error }
target[key] = extension;

Security for read/getter accessors precede write/setters (as in, if the read/getters aren't verifiably enough on their own, then likely their is a security hole/gap waiting to be attacked.)

[Jack-Works]

I believe this is duplicated to #925 and #318

[ljharb]

Polyfills must all be completed before SES locks things down.

[kriskowal]

As @ljharb, polyfills must run before lockdown, but lockdown removes anything it doesn’t expressly permit. The latest version of SES now allows polyfills to run between the two phases of lockdown:

repairIntrinsics();
// your shim here
hardenIntrinsics();

This allows a polyfill to introduce new properties to shared intrinsics.