feat(ses,module-source): Add ModuleSource shim #2463
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kriskowal
changed the title
kriskowal
force-pushed
the
kriskowal-module-source-shim
branch
from
98d1cbd
to
2e47ef8
Compare
kriskowal
commented
Sep 20, 2024
Comment on lines
+164
to
+172
| if (globalThis.ModuleSource) { | ||
| const AbstractModuleSourcePrototype = getPrototypeOf( | ||
| globalThis.ModuleSource.prototype, | ||
| ); | ||
| intrinsics['%AbstractModuleSourcePrototype%'] = | ||
| AbstractModuleSourcePrototype; | ||
| intrinsics['%AbstractModuleSource%'] = | ||
| AbstractModuleSourcePrototype.constructor; | ||
| } |
There was a problem hiding this comment.
A valid but annoying feedback reviewers might provide here is that we can’t anticipate whether ModuleSource will land in the language with or without an AbstractModuleSource on its prototype chain, so we could hedge our bets and add a repair for ModuleSource to force it to appear one way or the other, so that lockdown() doesn’t break if the AbstractModuleSource is absent. Or, we could go the other way and not have AbstractModuleSource by default, in which case SES would just delete it and issue a warning if it showed up.
There was a problem hiding this comment.
You read my mind, but that's just the risk with front-running proposals. No suggestion.
There was a problem hiding this comment.
Capturing here my reasoning for keeping AbstractModuleSource since it appears to be the path of least regret.
- We shim AbstractModuleSource and include it in SES permits:
- The application includes module-source/shim.js:
- The VM implements AbstractModuleSource: ✅ Lockdown’s fine
- The VM does not implement AbstractModuleSource: ✅ Lockdown’s fine. The shim currently stomps the native implementation. If it didn’t stomp the native implementation, Lockdown would tolerate the incomplete intrinsics.
- The application excludes module-source/shim.js:
- The VM implements AbstractModuleSource: ✅ Lockdown’s fine
- The VM does not implement AbstractModuleSource: ✅ Lockdown’s fine, but intrinsics are incomplete
- The application includes module-source/shim.js:
- We do not shim AbstractModuleSource and exclude it in SES permits:
- The application includes module-source/shim.js:
- The VM implements AbstractModuleSource: ✅ :man-shrugging: The shim currently stomps the native implementation, so this works out. But, if the shim surfaced the native implementation (and perhaps feature-checks that the native implementation behaves just like the shim deigning to fall through to native)
- The VM does not implement AbstractModuleSource: ✅ Lockdown’s fine
- The application excludes module-source/shim.js:
- The VM implements AbstractModuleSource: 💔 Lockdown is surprised to find AbstractModuleSource and chooses throw rather than attempt a repair. We don’t have the module source shim in play, so there’s nothing it can do to mitigate. We can’t require the module-source/shim.js because it entrains Babel.
- The VM does not implement AbstractModuleSource: ✅ Lockdown’s fine
- The application includes module-source/shim.js:
gibson042
approved these changes
Sep 20, 2024
kriskowal
force-pushed
the
kriskowal-module-source-shim
branch
2 times, most recently
from
fb9a58e
to
928cd19
Compare
kriskowal
force-pushed
the
kriskowal-module-source-shim
branch
from
928cd19
to
8f6291d
Compare
26 tasks
gibson042
approved these changes
Sep 24, 2024
kriskowal
force-pushed
the
kriskowal-module-source-shim
branch
from
8f6291d
to
f78f9d9
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Refs: #2252
Description
To test feature the degree of compatibility between a version of XS, XS with Endo shims, and Node.js with Endo shims, we need a shim for ModuleSource proper. This lets us create an environment with a global
ModuleSource, whereModuleSourceis a shared intrinsic of all Compartments.This change both introduces the shim and the necessary accommodations for the existence of a global ModuleSource shared intrinsic in SES.
Security Considerations
The new ModuleSource is subject to hardening of shared intrinsics during SES lockdown. A failure to harden the shared intrinsic would lead to a potential for interference or communication between isolated compartments.
Scaling Considerations
None.
Documentation Considerations
None.
Testing Considerations
This includes a test for SES that verifies that ModuleSource is properly propagated and hardened.
Compatibility Considerations
None.
Upgrade Considerations
None.