fixes #324: normative text to prevent the host environment to leak object reference

tc39 / proposal-shadowrealm

ECMAScript Proposal, specs, and reference implementation for Realms

1.44k stars 67 forks source link

fixes #324: normative text to prevent the host environment to leak object reference #383

Closed caridy closed 10 months ago

caridy commented 1 year ago

This PR implements the consensus achieved during Dic 1, 2022 plenary with respect to normative text that prevent a violation of the callable boundary.

caridy commented 1 year ago

LGTM modulo possible terminology clarification.

@erights I'm not 100% sure, I was reading the following section of the spec:

https://tc39.es/ecma262/#sec-hosts-and-implementations

And it seems to me that "host environment" (which typically includes objects or functions which allow obtaining input and providing output as host-defined properties of the global object) is the right term for this definition. Maybe one of the editors can help here.

erights commented 1 year ago

LGTM modulo possible terminology clarification.

@erights I'm not 100% sure, I was reading the following section of the spec:

https://tc39.es/ecma262/#sec-hosts-and-implementations

And it seems to me that "host environment" (which typically includes objects or functions which allow obtaining input and providing output as host-defined properties of the global object) is the right term for this definition.

Yeah, there's a circularity problem in deciding whether this resolves the problem: What's "host-defined"? Does it cover "implementation-defined"? My inclination is actually that it does, in which case your current language is fine. But I'd like to remove any ambiguity on that point.

Maybe one of the editors can help here.

Please!

caridy commented 1 year ago

@mhofman wrote:

In my mind the Host is the part that defines hooks and extensions for which the implementation is not specified in ECMA262, where implementation is for the parts covered by this spec. Since this spec text does not provide for an implementation to expose objects across the callable boundary, only host-defined behavior would if not constrained.

@erights that's the way I see it. we should be fine here.

caridy commented 10 months ago

@ptomato can we take this one to the finish line?

ptomato commented 10 months ago

Please take a look at whether this updated language satisfies the concerns.

caridy commented 10 months ago

I got the verbal approval from @mhofman on this one, merging!