POWER: IDL syntax? #262
Comments
|
Sounds good to me. Should I poke @heycam about adding something to WebIDL, or define something in this document for the moment? |
|
(Relatedly, I'm wondering if adding an attribute to the global object would be a reasonable thing to do...) |
|
I'm happy to spell the concept however folks who know things about WebIDL want me to spell it. |
|
I guess we need to decide on the semantics first. When added, would the API simply not be present in non-privileged contexts? Or would it be a method annotation of sorts that makes the method throw or reject the promise the method returns? |
|
I'd suggest the latter. That's what Chrome and Firefox are doing now for things like ServiceWorker. |
|
Okay, in that case I suggest we invent a |
|
I would rather not overload I agree with @annevk that we need to decide on semantics. Gecko certainly has ways to mark things privileged which cause them to not appear at all in what we consider non-privileged contexts. We obviously also have ways of making things just throw. Which one is desired depends on whether we want non-privileged contexts to be able detect that the functionality is supported in a privileged context, right? Are there any other reasons to expose in a non-privileged context? In general, I'm leery of exposing always-throwing API, esp. of the property getter variety... |
|
Chrome always exposes Crypto and SW. Gecko always exposes SW. We might be stuck with throwing. However, I was thinking of trying to limit this to methods. Those that request permission grants or get the thing rolling. I agree that throwing on property getters would be ugly. |
Not in anything we've actually shipped we don't. We could totally change the nightly behavior here if that's desired. |
|
We should revisit this; Chrome continues to expose the feature, and that makes sense to me. The feature is there, it just doesn't work. I can see reasonable arguments for the alternative: the feature doesn't work, you see. I think I vaguely prefer leaving the API in place, and allowing it to do something reasonable based on its processing model (e.g. Geolocation would call the error callback, a Promise-based system would reject, etc). WDYT? |
|
@mikewest If the behavior would have to be defined in prose anyway (which is what you're suggesting), what is the value of the IDL annotation, exactly? |
|
Sorry, I should have been more clear: if we continue exposing the feature, I don't think there's value in the IDL annotation. The annotation is only interesting if we stop exposing the feature entirely, as that seems reasonably definable in IDL, as opposed to prose in every effected specification. |
|
Why is it not reasonable for IDL to check if the environment is a secure context and throw (which results in a rejected promise if the thing returns a promise) if that is not the case? |
|
I guess I was thinking of "legacy" APIs like Geolocation that use callbacks. If we agree that we should throw or reject, then defining that in IDL for new APIs might be reasonable. shrug Do we agree on that? :) |
|
I think so. The couple of legacy APIs we have would indeed need to hook into the primitives themselves. But new APIs not needing any complicated language would greatly simplify adoption. |
|
Again, we've had significant pushback from web developers in the past when an API throws-when-touched. This is especially critical for attribute getters (due to libraries that enumerate all attributes on objects you pass in to them), a bit less so for methods. So whether we agree on the throwing really depends on what the APIs involved look like. One viable option if we do want the throwing behavior would be to have the extended attribute only apply to methods, not to attributes. That leaves inconsistencies between methods and attributes, if there are any attributes we don't want available in insecure contexts. So that's the first question: are there any such attributes, and do we foresee any appearing in the future? |
|
Chrome isn't currently blocking any attributes based on secure contexts. |
|
If I'm reading the thread correctly, it sounds like:
It seems to me like having this notation could be valuable as we look at restricting more of the web API to secure contexts. And it seems like checking for the presence of an API is already an established pattern for backward compatibility reasons. Do folks think that it would be reasonable to move the currently restricted stuff (e.g., WebCrypto) from throwing to being hidden? |
Specifically for throwing attribute getters. Note that WebCrypto doesn't throw at all, by the way, since you can get |
|
Yeah, I was being lazy and conflating reject and throw. It seems like "throw when called" and "return a rejected promise" are pretty much equivalent, when it comes to methods? |
|
They are, yes. |
|
I took a stab at this in whatwg/webidl#65. I am not a WebIDL expert, so help with the patch's language would be very appreciated. :) |
As discussed in w3c/webappsec-secure-contexts#8 (and w3c/webappsec#262), this patch defines a [SecureContext] extended attribute for interfaces, interface members, and dictionaries with constructors, whose presence prevents the construct from being exposed in ECMAScript global environments that are not secure contexts.
|
This was fixed (and it turned out more than kind of nice, yay). |
and others
It would be kind of nice to have IDL syntax for restricting a feature to secure^H^H^H^H^Hprivileged contexts. Makes API review even easier.
The text was updated successfully, but these errors were encountered: