Anticipate new hidden intrinsics: Iteration helpers #1289
Comments
|
Even if we don't ship this ahead of engine implementations, it shouldn't be an issue since these hidden intrinsics are only available through new APIs not part of the whitelist, right? |
|
@kriskowal @mhofman what was the other thing we committed to fixing in anticipation? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As proposals advance in tc39, some will introduce new hidden intrinsics, starting with Iteration helpers. At the Sep 2022 tc39 meeting, we agreed on a compromise where the proposal provides code for discovering these new hidden intrinsics. The ses-shim would use this code in order to add these hidden intrinsics to the collection of intrinsics to be checked against the whitelist and hardened. This compromise is only needed until the getIntrinsics proposal lands, which will provide a unified mechanism for discover all intrinsics.
https://github.com/tc39/proposal-iterator-helpers/pull/235/files is an adequate approximation of this agreement. We need to modify it so it doesn't fail if run on a system in which these are not present. With that modification, we should adopt it into the ses-shim well ahead of anyone shipping an engine that implements the Iterator helpers proposal.
(During the Google era of SES, we had a bad vulnerability do to failure to add code to discover the async generator intrinsics until after it was shipping. Fortunately, it was responsibly disclosed and we have no reason to believe it was ever maliciously exploited.)
Attn @michaelficarra @ljharb @kriskowal
The text was updated successfully, but these errors were encountered: