Add `Promise.withResolvers` to permits list

endojs / endo

Endo is a distributed secure JavaScript sandbox, based on SES

Apache License 2.0

804 stars 71 forks source link

Add `Promise.withResolvers` to permits list #1850

Closed doodlewind closed 10 months ago

doodlewind commented 10 months ago

closes: #1849

Description

This allows Promise.withResolves to the permits list.

Security Considerations

Scaling Considerations

Documentation Considerations

Testing Considerations

Upgrade Considerations

kriskowal commented 10 months ago

Tapping @erights. I am almost 100% confident that this is complete and consistent with our design. Hardened JavaScript does not ensure that all objects obtained through shared intrinsics are themselves hardened, just that their prototypes are hardened. We do not harden instances returned by intrinsics unless they themselves are implicitly shared with other compartments. I’m merging and commit to fix before release if not.

erights commented 10 months ago

commit to fix before release if not

Please add a comment above entry linking to https://github.com/tc39/proposal-promise-with-resolvers , consistent with other such comments in permits.js

erights commented 10 months ago

Other than that, LGTM

does not ensure that all objects obtained through shared intrinsics are themselves hardened, just that their prototypes are hardened. We do not harden instances returned by intrinsics unless they themselves are implicitly shared with other compartments.

Of those two sentences, the second is correct. The first sentence by itself

mistakenly doesn't include shared intrinsics other than prototypes.
mistakenly includes prototypes, even if they are freshly made and therefore unshared, IIUC such as the prototypes of new async generator functions.