Throw TypeError when reading global references through a JSProxy

Throw TypeError when reading global references through a JSProxy

Allowing global references to be read through a proxy results in cross-origin information leaks. The ES6 spec currently does not mitigate this in any way. This CL adds a workaround that's easy for V8: throw whenever an unresolved reference would result in a proxy trap to be fired. I'm landing this so we can move forwards with staging proxies without putting users of --harmony at risk.

BUG=chromium:399951
LOG=n

Committed: https://crrev.com/01b8e7c7f62fe0fc74552c7d3909777fa50b3447
Cr-Commit-Position: refs/heads/master@{#32949}

[Toon Verwaest, 2015-12-17 12:06:08]

verwaest@chromium.org changed reviewers:
+ adamk@chromium.org, jkummerow@chromium.org

[Toon Verwaest, 2015-12-17 12:06:09]

ptal

[Jakob Kummerow, 2015-12-17 12:59:44]

lgtm

[Toon Verwaest, 2015-12-17 13:02:38]

The CQ bit was checked by verwaest@chromium.org

[commit-bot: I haz the power, 2015-12-17 13:02:46]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1529303003/20001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1529303003/20001

[adamk, 2015-12-17 13:27:54]

This is amazing. Why didn't you think of this before? :)

lgtm while we're behind a flag. Can you add more to the CL description about
this approach? In particular you should note that this is not (yet) defined by
any standard.

I think we should push on this on public-script-coord.

[Toon Verwaest, 2015-12-17 13:29:34]

The CQ bit was unchecked by verwaest@chromium.org

[adamk, 2015-12-17 13:36:41]

https://codereview.chromium.org/1529303003/diff/20001/test/mjsunit/harmony/pr...
File test/mjsunit/harmony/proxies-global-reference.js (right):

https://codereview.chromium.org/1529303003/diff/20001/test/mjsunit/harmony/pr...
test/mjsunit/harmony/proxies-global-reference.js:7: __proto__ = new Proxy({},
new Proxy({}, {
Maybe also add a test case where Object.prototype is the thing modified? That'll
show that we're not just tracking [[Prototype]] changes on the global itself.

[Toon Verwaest, 2015-12-17 13:37:05]

Description was changed from

==========
Throw TypeError when reading global references through a JSProxy

BUG=chromium:399951
LOG=n
==========

to

==========
Throw TypeError when reading global references through a JSProxy

Allowing global references to be read through a proxy results in cross-origin
information leaks. The ES6 spec currently does not mitigate this in any way.
This CL adds a workaround that's easy for V8: throw whenever an unresolved
reference would result in a proxy trap to be fired. I'm landing this so we can
move forwards with staging proxies without putting users of --harmony at work.

BUG=chromium:399951
LOG=n
==========

[adamk, 2015-12-17 13:37:58]

Description was changed from

==========
Throw TypeError when reading global references through a JSProxy

Allowing global references to be read through a proxy results in cross-origin
information leaks. The ES6 spec currently does not mitigate this in any way.
This CL adds a workaround that's easy for V8: throw whenever an unresolved
reference would result in a proxy trap to be fired. I'm landing this so we can
move forwards with staging proxies without putting users of --harmony at work.

BUG=chromium:399951
LOG=n
==========

to

==========
Throw TypeError when reading global references through a JSProxy

Allowing global references to be read through a proxy results in cross-origin
information leaks. The ES6 spec currently does not mitigate this in any way.
This CL adds a workaround that's easy for V8: throw whenever an unresolved
reference would result in a proxy trap to be fired. I'm landing this so we can
move forwards with staging proxies without putting users of --harmony at risk.

BUG=chromium:399951
LOG=n
==========

[Toon Verwaest, 2015-12-17 13:42:41]

Added the extra test.

[adamk, 2015-12-17 13:43:23]

Thanks, still lgtm

[Toon Verwaest, 2015-12-17 13:43:45]

The CQ bit was checked by verwaest@chromium.org

[Toon Verwaest, 2015-12-17 13:43:45]

The patchset sent to the CQ was uploaded after l-g-t-m from
jkummerow@chromium.org
Link to the patchset: https://codereview.chromium.org/1529303003/#ps40001
(title: "Increased testing")

[commit-bot: I haz the power, 2015-12-17 13:43:54]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1529303003/40001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1529303003/40001

[commit-bot: I haz the power, 2015-12-17 14:37:21]

Description was changed from

==========
Throw TypeError when reading global references through a JSProxy

Allowing global references to be read through a proxy results in cross-origin
information leaks. The ES6 spec currently does not mitigate this in any way.
This CL adds a workaround that's easy for V8: throw whenever an unresolved
reference would result in a proxy trap to be fired. I'm landing this so we can
move forwards with staging proxies without putting users of --harmony at risk.

BUG=chromium:399951
LOG=n
==========

to

==========
Throw TypeError when reading global references through a JSProxy

Allowing global references to be read through a proxy results in cross-origin
information leaks. The ES6 spec currently does not mitigate this in any way.
This CL adds a workaround that's easy for V8: throw whenever an unresolved
reference would result in a proxy trap to be fired. I'm landing this so we can
move forwards with staging proxies without putting users of --harmony at risk.

BUG=chromium:399951
LOG=n
==========

[commit-bot: I haz the power, 2015-12-17 14:37:22]

Committed patchset #3 (id:40001)

[commit-bot: I haz the power, 2015-12-17 14:37:51]

Description was changed from

==========
Throw TypeError when reading global references through a JSProxy

Allowing global references to be read through a proxy results in cross-origin
information leaks. The ES6 spec currently does not mitigate this in any way.
This CL adds a workaround that's easy for V8: throw whenever an unresolved
reference would result in a proxy trap to be fired. I'm landing this so we can
move forwards with staging proxies without putting users of --harmony at risk.

BUG=chromium:399951
LOG=n
==========

to

==========
Throw TypeError when reading global references through a JSProxy

Allowing global references to be read through a proxy results in cross-origin
information leaks. The ES6 spec currently does not mitigate this in any way.
This CL adds a workaround that's easy for V8: throw whenever an unresolved
reference would result in a proxy trap to be fired. I'm landing this so we can
move forwards with staging proxies without putting users of --harmony at risk.

BUG=chromium:399951
LOG=n

Committed: https://crrev.com/01b8e7c7f62fe0fc74552c7d3909777fa50b3447
Cr-Commit-Position: refs/heads/master@{#32949}
==========

[commit-bot: I haz the power, 2015-12-17 14:37:52]

Patchset 3 (id:??) landed as
https://crrev.com/01b8e7c7f62fe0fc74552c7d3909777fa50b3447
Cr-Commit-Position: refs/heads/master@{#32949}