search

tc39 / proposal-ses

Draft proposal for SES (Secure EcmaScript)
222 stars 20 forks source link

Use case: Freezing intrinsics after loading only the polyfill modules #45

Closed petamoriken closed 2 years ago

petamoriken commented 2 years ago

Since the way to freeze intrinsics is provided as a lockdown function, it can only be done after all modules have been executed. This does not protect against the risk of malicious modules being injected.

import "./polyfill.mjs";
import { foo } from "./some-dep.mjs"; // already executed

// freeze intrinsics
lockdown();

foo();

How about introducing a new syntax instead of a function?

import "./polyfill.mjs";

// freeze intrinsics
do lockdown;

// executed later
import { foo } from "./some-dep.mjs";

foo();

Alternatively, Stage 1 Deferring Module Evaluation might help this issue.

import "./polyfill.mjs";
import { foo } from "./some-dep.mjs" with { lazyInit: true };

// freeze intrinsics
lockdown();

foo();
ljharb commented 2 years ago

It can be done already by stacking modules - your entry point imports a module that invokes lockdown, and then also imports a module that contains the rest of the app. Special syntax isn’t needed.

petamoriken commented 2 years ago

My understanding is that modules do not have a guaranteed execution order, so special syntax (or defer module eval) is needed, am I wrong?

ljharb commented 2 years ago

The execution order is quite strictly defined.

petamoriken commented 2 years ago

The issue seems to be based on my misunderstanding.

@ljharb Thank you for your help 😊