How to permit standard unshared magic powers, like WeakRef or Atomics?

[michaelfig]

[updated by @kriskowal 2024-01-09]

Document how to permit powerful globals like WeakRef or Atomics.

---

[original by @michaelfig 2021-06-18]

@erights wrote in: https://github.com/Agoric/agoric-sdk/pull/3171#discussion_r653140704

Given https://github.com/endojs/endo/blob/479a3cafca6dcb85e441f2cb872a6e937ffe642c/packages/ses/src/whitelist.js#L1151 it is extremely distressing that you found Atomics in scope. The false in that whitelist entry should have caused that global to be silently removed.

Likewise with https://github.com/endojs/endo/blob/479a3cafca6dcb85e441f2cb872a6e937ffe642c/packages/ses/src/whitelist.js#L1112 vs your use of SharedArrayBuffer in test-trap.js

Attn @kriskowal

It looks like the whitelisting process doesn't actually censor properties of the globalThis, as documented in https://github.com/endojs/endo/blob/master/packages/ses/src/whitelist-intrinsics.js#L254

Is that by design, or something ominous?

[kriskowal]

This is by design. SES init and lockdown make these inaccessible from within child compartments but leave them intact in the start compartment as a basis for constructing or delegating powers.

[kriskowal]

@erights Is this issue valid?

[erights]

@erights Is this issue valid?

I changed the title to reflect the valid remaining concern