Revisit behavior of `has` proxy trap in safe evaluator’s terminal scope

[kriskowal]

The has trap in the safe evaluator’s terminal scope proxy (before and after #1293) leaks the presence or absence of properties on the realm’s intrinsic global object. The current behavior might be the optimal compromise, but we should revisit the possibility of making has always return true to fully blot out the parent scope. @kumavis’s preliminary investigation suggests that this would break too much existing usage. We should isolate the cases that this change would break and evaluate next steps.

[kumavis]

we also noted that "scuttling the realm global" could change the behavior of code running inside a compartment due to this info leak

[erights]

Added the security label because of the information leak.

[kriskowal]

Since we last discussed this, Scuttling the realm global has become a normal practice for MetaMask. @kumavis Did that shift make patching the leak more viable?

[kumavis]

@weizman did we see any change in behavior / bugs introduced to lavamoat confined code under scuttling?

"making has always return true" does seem like the safest behavior

typeof xyz will not throw, will be "undefined" and Reflect.has(globalThis, 'xyz') will be false bc it is now a normal object. this seems like the best situation.

the following code will break: code relying on utterance of non-existing global variables to throw an error. seems rare. if you find some ill buy you a chocolate bar :chocolate_bar:

my recommendation: lets make the change in SES! especially when we're lined up for a breaking change

[weizman]

No, none