'getRandomValues' in WebCrypto throws if receiver isn't a 'Crypto' instance.

[rbuckton]

There's a slight difference here in that getRandomValues as currently specified in WebCrypto must be invoked with a receiver which is a crypto object: (0, crypto.getRandomValues)(new Uint8Array()) fails.

Note that the receiver just needs to be a crypto object:

let i = document.createElement('iframe');
document.body.append(i);
i.contentWindow.crypto.getRandomValues.call(crypto, new Uint8Array());

works.

The fact that crypto works this way is pretty unfortunate and, as I understand it, is just an accident of history: I'm pretty sure it's because crypto was specified before namespaces were introduced to WebIDL, which was done specifically to make (0, console.log)() work (done here). But it is what it is.

Originally posted by @bakkot in https://github.com/tc39-transfer/proposal-csprng/pull/2#issuecomment-583111388

[rbuckton]

Opening this as a separate issue to ensure we track this and discuss ramifications with the individuals involved with the WebCrypto spec.

[bakkot]

I don't believe this to be a web compatibility issue, however. Not throwing an error shouldn't make any existing code break today, though it would be worthwhile to discuss this more with someone directly involved with the WebCrypto spec about maintaining compatibility.

Originally posted by @rbuckton in https://github.com/tc39/proposal-csprng/pull/2#issuecomment-583113393

Agreed.

[rbuckton]

NOTE: @bakkot I edited your comment to add a link to where I originally wrote that comment, for anyone coming to this discussion later.