endo icon indicating copy to clipboard operation
endo copied to clipboard
verified publisher icon endojs

Allow Javascript Extension (Just Not Overwriting)

Open amark opened this issue 3 years ago • 2 comments

It obviously makes security sense to prevent

Object.keys

From being replaced.

But, SES also prevents me from polyfilling Object.keys if it doesn't exist. (Ah, SES doesn't work in older browsers, I'm assuming? That's not my fault tho as a library dev.)

Please allow for things to be extended. In your proxy you can just (pseudocode) check for:

if(target[key]){ return throw error }
target[key] = extension;

Security for read/getter accessors precede write/setters (as in, if the read/getters aren't verifiably enough on their own, then likely their is a security hole/gap waiting to be attacked.)

amark avatar May 27 '22 09:05 amark

I believe this is duplicated to https://github.com/endojs/endo/issues/925 and #318

Jack-Works avatar May 27 '22 10:05 Jack-Works

Polyfills must all be completed before SES locks things down.

ljharb avatar May 27 '22 14:05 ljharb

As @ljharb, polyfills must run before lockdown, but lockdown removes anything it doesn’t expressly permit. The latest version of SES now allows polyfills to run between the two phases of lockdown:

repairIntrinsics();
// your shim here
hardenIntrinsics();

This allows a polyfill to introduce new properties to shared intrinsics.

kriskowal avatar Jan 09 '24 01:01 kriskowal