Bug 256258

Summary: Consider removing btoa/atob from JSC
Product: WebKit Reporter: Anne van Kesteren <annevk>
Component: JavaScriptCoreAssignee: Yijia Huang <yijia_huang>
Status: RESOLVED INVALID    
Severity: Normal CC: ashvayka, webkit-bug-importer, yijia_huang
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Anne van Kesteren 2023-05-03 09:01:26 PDT 
As far as I can tell these end up duplicating functionality provided by Base64Utilities (exposed to the web through Source/WebCore/page/WindowOrWorkerGlobalScope.idl). And it would be non-standard if that would mean they continue to be exposed in other contexts, such as ShadowRealms or worklets.

On the other hand, if we need these to be exposed in PAC files we probably need something more complicated.
Comment 1 Radar WebKit Bug Importer 2023-05-10 09:02:19 PDT 
<rdar://problem/109155613>
Comment 2 Alexey Shvayka 2023-05-15 18:52:15 PDT 
(In reply to Anne van Kesteren from comment #0)
> As far as I can tell these end up duplicating functionality provided by
> Base64Utilities (exposed to the web through
> Source/WebCore/page/WindowOrWorkerGlobalScope.idl). And it would be
> non-standard if that would mean they continue to be exposed in other
> contexts, such as ShadowRealms or worklets.
> 
> On the other hand, if we need these to be exposed in PAC files we probably
> need something more complicated.

Hey Anne, thank you for filing this!

Please note that atob() / btoa() are only exposed for JSC shell (Tools/Scripts/run-jsc), along with ~100 other utility functions (e.g. createGlobalObject()), and not for any kind of web content.

With that in mind, could you please expand your concerns regarding ShadowRealms / Worklets?
Comment 3 Anne van Kesteren 2023-05-16 00:45:13 PDT 
Do we use the JSC shell for PAC files? Or does that also have its own runtime?

If it's not exposed anywhere I don't have any concrete concerns.
Comment 4 Alexey Shvayka 2023-05-16 11:32:58 PDT 
(In reply to Anne van Kesteren from comment #3)
> Do we use the JSC shell for PAC files? Or does that also have its own
> runtime?

Can't tell for sure: tried grepping "FindProxyForURL" PAC, seems like we don't support that anymore? Also the latest radar on PAC is from 2011 it seems like it was implemented via JSC API so in a safe way w/o JSC shell.

JSC shell has plenty of dangerous methods that greatly increase security risks, so it's not used anywhere around user-land code.
Comment 5 Anne van Kesteren 2023-05-16 23:49:21 PDT 
Thanks!
Comment 6 Alexey Proskuryakov 2023-07-02 21:50:16 PDT 
Correct, PAC file support doesn't use the jsc shell, and never did.

It is implemented in CFNetwork using JavaScriptCore, of course.