What is the issue with the Web IDL Standard?
Hi WebIDL Maintainers,
I'm working on a proposal at TC39 right now (currently named Thenable Curtailment, but needs a better name eventually). The goal of this proposal is to enable consumers of ECM262 to handle 'thenables' with more safety.
The current version of the proposal proposes adding an algorithm, currently named MaybeDeferredPromiseResolve which basically does the PromiseResolve steps, unless the value being resolved is (or could be) a 'thenable', in which case it will stop the promise from resolving to any other values, but waits until the microtask queue is drained again to actually run the synchronous steps.
The reason I've been pursuing this is that there's a number of security bugs which happen in web browsers when an algorithm resolves a promise with a value, which ends up unexpectedly running script due to Object.protoytpe.then causing any webIDL value to be able to trigger thenable behaviour after a native value is converted to a JS object.
I have some evidence that this is plausibly 'mostly' web-compatible (and am aware more detailed testing will be required). This proposal is now at Stage 2 of the TC39 process. I'm hoping that I can get interested parties to think in detail about places they could imagine this going wrong if we were to replace the WebIDL resolve steps with MaybeDeferredPromiseResolve.
This would have avoided a number of browser security vulnerabilities over the years, and I am reasonably convinced that something can be done to improve the browser security posture here, and hopefully with minimal breakage. It's notable that because of how 'thenables' are defined, it's relatively rare to see the deferral be needed, and I've not seen (yet!) any code which is doing this WebIDL resolve with the intention of doing sane things... basically, to a first approximation I've only ever seen the definition of then on Object.prototype or other IDL prototypes in exploit code.
What is the issue with the Web IDL Standard?
Hi WebIDL Maintainers,
I'm working on a proposal at TC39 right now (currently named Thenable Curtailment, but needs a better name eventually). The goal of this proposal is to enable consumers of ECM262 to handle 'thenables' with more safety.
The current version of the proposal proposes adding an algorithm, currently named
MaybeDeferredPromiseResolvewhich basically does thePromiseResolvesteps, unless the value being resolved is (or could be) a 'thenable', in which case it will stop the promise from resolving to any other values, but waits until the microtask queue is drained again to actually run the synchronous steps.The reason I've been pursuing this is that there's a number of security bugs which happen in web browsers when an algorithm resolves a promise with a value, which ends up unexpectedly running script due to
Object.protoytpe.thencausing any webIDL value to be able to trigger thenable behaviour after a native value is converted to a JS object.I have some evidence that this is plausibly 'mostly' web-compatible (and am aware more detailed testing will be required). This proposal is now at Stage 2 of the TC39 process. I'm hoping that I can get interested parties to think in detail about places they could imagine this going wrong if we were to replace the WebIDL resolve steps with MaybeDeferredPromiseResolve.
This would have avoided a number of browser security vulnerabilities over the years, and I am reasonably convinced that something can be done to improve the browser security posture here, and hopefully with minimal breakage. It's notable that because of how 'thenables' are defined, it's relatively rare to see the deferral be needed, and I've not seen (yet!) any code which is doing this WebIDL resolve with the intention of doing sane things... basically, to a first approximation I've only ever seen the definition of
thenon Object.prototype or other IDL prototypes in exploit code.