Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add regenerator runtime taming (#2383)
Closes: #621 Refs: #1950 ## Description regenerator-runtime is a widely used package in the ecosystem. It is used to support generators and async functions transpiled to ES5. This PR adds an option `legacyRegeneratorRuntimeTaming` to fix `regenerator-runtime` from 0.10.5 to 0.13.7. Although the newer version of the regenerator runtime package is compatible with lockdown, some libraries bundle old (hence "legacy") regenerator runtime in their code and it's not practical to get them all to upgrade. - `legacyRegeneratorRuntimeTaming: 'safe'` do nothing. - `legacyRegeneratorRuntimeTaming: 'unsafe-ignore'` turns `Iterator.prototype[@@iterator]` to a funky accessor that drops all assignments to it. Note: `regenerator-runtime` is doing this: ```js Gp[iteratorSymbol] = function () { return this; } ``` which is effectively ```js IteratorPrototype[Symbol.iterator] = function () { return this; } ``` ### Security Considerations The replacement function from legacy regenerator runtime is the same as the native code, so it is "safe" to drop this assignment, in the sense that it does not cause any bad effects. However, this option drops the assignment by dropping any assignment to `IteratorPrototype[Symbol.iterator]`, since we have no practical way to ensure that the assignment it drops is exactly the one above. Thus, this option is not actual safe since it causes any other such assignment to be ignored silently. This echoes the unsafety of ES3 and of sloppy mode, where failed assignments were silently ignored. Such behavior is unsafe because it allows control flow to proceed into code that assumes the assignment succeeded. That's why ES5 strict mode changed failed assignments to throw. To emphasize the hazard, we have named this setting of the option `'unsafe-ignore'`. ### Scaling Considerations Nothing ### Documentation Considerations If you're hitting problems with an old version of regenerator-runtime (or any package that bundles it), you might need this. ### Testing Considerations Tests added for the specific effect of this PR. However, to avoid introducing even a devDependency on a legacy version of regenerator runtime, no automated test has been added to test that compatibility. Instead, this PR can be tested like this: ```js import './lockdown.umd.js' lockdown({ legacyRegeneratorRuntimeTaming: 'unsafe-ignore', errorTaming: 'unsafe', consoleTaming: 'unsafe' }) const script = document.createElement('script') script.src = 'https://cdn.jsdelivr.net/npm/[email protected]/runtime.js' document.head.appendChild(script) ``` ### Compatibility Considerations Note: Some version of `regenerator-runtime` requires to be run in the sloppy mode. Thus, these are incompat with the ses-shim independent of this option. ### Upgrade Considerations No > Update `NEWS.md` for user-facing changes. TODO.
- Loading branch information