RESOLVED INVALID256258
Consider removing btoa/atob from JSC 
https://bugs.webkit.org/show_bug.cgi?id=256258
Summary Consider removing btoa/atob from JSC
Anne van Kesteren
Reported 2023-05-03 09:01:26 PDT
As far as I can tell these end up duplicating functionality provided by Base64Utilities (exposed to the web through Source/WebCore/page/WindowOrWorkerGlobalScope.idl). And it would be non-standard if that would mean they continue to be exposed in other contexts, such as ShadowRealms or worklets. On the other hand, if we need these to be exposed in PAC files we probably need something more complicated.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-05-10 09:02:19 PDT
<rdar://problem/109155613>
Alexey Shvayka
Comment 2 2023-05-15 18:52:15 PDT
(In reply to Anne van Kesteren from comment #0) > As far as I can tell these end up duplicating functionality provided by > Base64Utilities (exposed to the web through > Source/WebCore/page/WindowOrWorkerGlobalScope.idl). And it would be > non-standard if that would mean they continue to be exposed in other > contexts, such as ShadowRealms or worklets. > > On the other hand, if we need these to be exposed in PAC files we probably > need something more complicated. Hey Anne, thank you for filing this! Please note that atob() / btoa() are only exposed for JSC shell (Tools/Scripts/run-jsc), along with ~100 other utility functions (e.g. createGlobalObject()), and not for any kind of web content. With that in mind, could you please expand your concerns regarding ShadowRealms / Worklets?
Anne van Kesteren
Comment 3 2023-05-16 00:45:13 PDT
Do we use the JSC shell for PAC files? Or does that also have its own runtime? If it's not exposed anywhere I don't have any concrete concerns.
Alexey Shvayka
Comment 4 2023-05-16 11:32:58 PDT
(In reply to Anne van Kesteren from comment #3) > Do we use the JSC shell for PAC files? Or does that also have its own > runtime? Can't tell for sure: tried grepping "FindProxyForURL" PAC, seems like we don't support that anymore? Also the latest radar on PAC is from 2011 it seems like it was implemented via JSC API so in a safe way w/o JSC shell. JSC shell has plenty of dangerous methods that greatly increase security risks, so it's not used anywhere around user-land code.
Anne van Kesteren
Comment 5 2023-05-16 23:49:21 PDT
Thanks!
Alexey Proskuryakov
Comment 6 2023-07-02 21:50:16 PDT
Correct, PAC file support doesn't use the jsc shell, and never did. It is implemented in CFNetwork using JavaScriptCore, of course.
Note You need to log in before you can comment on or make changes to this bug.