Discoverability of wrapper prototypes #173
Comments
|
Iterator.prototype already exists, it’s not newly introduced. I believe the only new one is the AsyncIterator prototype. I don’t think it makes sense to need to expose the sync one on a global, and i don’t think it makes sense for the two not to be consistently on or not on the global. |
|
No I'm talking about |
|
Isn’t that Iterator.prototype and AsyncIterator.prototype, respectively? |
|
Not from my reading. These are new prototype intrinsics that have as |
|
and where would these go? All builtin iterator prototype objects (except the newly exposed ones on Iterator/AsyncIterator) are “hidden” - matchAll’s was the most recently added. I think that if we want a convention of exposing these, they should all be done at once, setting a precedent for future ones as well, rather than trying to draw a line in the sand of “old” hidden ones and “new” exposed ones. (note that the get intrinsic proposal explicitly is not solving discoverability of intrinsics) |
|
@michaelficarra you asked me to add an issue to the proposal to capture my objection just now in the tc39 plenary. Does this issue cover it? It seems so to me. What else should we capture? |
|
@erights I asked you to capture your opinion on this issue. In particular, I'm not interested in making these new intrinsics reachable in this way, so I'd like to figure out how we can not block this proposal on the addition of something like |
|
I do consider it a requirement to, as we say, "not break the web". Introducing new intrinsics that are not discoverable by old code, and that thereby makes currently secure sites insecure, is a breaking change that should block this proposal, until this proposal is fixed. |
|
@erights could you show examples of code that the current proposal can break? |
|
@erights ? |
|
About the current issue - I agree with @ljharb. Here is no difference, for example, with We can get |
Yes. If this PR were implemented and deployed, but Hardened JS https://github.com/endojs/endo/blob/master/packages/ses was not changed to incorporate the code that @michaelficarra posted at https://github.com/tc39/proposal-iterator-helpers/pull/235/files , then Hardened JS would be broken. These hidden primordials would still be unfrozen after |
|
@erights it looks like an issue of EndoJS. Such moments should have been foreseen by its architecture since they are common for many new JS essences. Because of such moments, I'm skeptical about frozen JS environments. |
|
To be clear, new hidden intrinsics (defined as not discoverable through a simple property / prototype walk from the global) are not a problem for such frozen environments and libraries implementing them, as long as these hidden intrinsics are only ever reachable through new APIs, which should be automatically denied by these libraries (and are by EndoJS / SES-shim). The real problem is when exposing new hidden intrinsics through existing APIs or syntax. Edit: I realize this is contradicting my original issue, but this is to clarify what I believe is the conclusion of the discussion and compromise reached at the last plenary. |
And please remain skeptical. In fact, please try to find things we may have overlooked, like this or otherwise, that may compromise our security. I try my best to remain skeptical too. But if you do find something, please let us know. |
|
@erights sure -) |
#172 made me realize that this proposal introduces 2 new hidden intrinsics for the wrapper prototypes, aka that are only discoverable by calling the
Iterator.fromandAsyncIterator.frommethods with well formed iterators.Since the spec still doesn't provide a unified way to discover user exposed intrinsics (see @ljharb get intrinsic proposal), we'd like to make sure these are discoverable by walking the globals (combination of
getOwnPropertyDescriptorsandgetPrototypeOf)The text was updated successfully, but these errors were encountered: