Exposed=* vs Exposed=Shadow #398
Comments
|
Right, Exposed=* doesn't work for anything event loop related, because of worklets. I wonder what happens when you construct a ShadowRealm inside such a worklet? I think that just argues against exposing such things to ShadowRealms. |
|
The main reason for |
|
Or we don't expose shadow realms in certain globals. There's a lot of options, but you can't impose event loops on all (potential) globals. |
|
Oh, I thought we already made that decision a while ago when we decided to make the global object of a shadow realm an event target. |
|
? EventTarget is unrelated to the event loop. |
|
Ok, I think I understand it now. It seems that we have multiple options: A. Is there any other option? It sounds to me (with my very limited knowledge) that option B is superior, but I have no idea how that could be spec'd. |
|
Another option is to not expose anything in shadow realms which is not exposable to worklets, i.e. not expose anything which has an event loop dependency. I believe that was the original consensus. |
|
Yeah, the original idea was that shadow realms would only have features we could imagine being in all possible (including future) global environments. That's why What syntax to use if you decide to stray from the original idea would need some consideration. |
|
@annevk @domenic here is where we need your guidance and knowledge. The only recent change was about timers, specifically setTimeout & co. Since we are not in the business of protecting against side-channel attacks (spectre/meltdown), we have no reasons to prevent or sensor timers, for those reasons, we thought it was OK to include setTimeout & co in the initial list. It seems that this has bigger implications (which we didn't know). In other words, we have no opinions on whether or not this can be/should be included or not. Additionally, I will like to know what other APIs depend on the event loop? we can double check our use-cases against those! |
|
While timers would be convenient, they aren't essential for any ShadowRealm use case I've heard of. I like following the philosophy of exposing to ShadowRealms the intersection of what will be available in any conceivable environment. This sounds like a convenient rule of thumb when deciding what to put in ShadowRealms, avoiding the need for web spec developers to think through "confidentiality" and "integrity" with respect to a certain programming model that they might not be familiar with. |
|
Specifically, not exposing any APIs that depend on an event loop seems like a good criterion, and the rationale outweighs the requests in #393 for the convenience provided by setTimeout. Concretely, this would mean reverting the recent changes to whatwg/html#9893 re. {set,clear}{Timeout,Interval}, and closing whatwg/dom#1253. Agreed?
@Ms2ger is double-checking that none of the other, non-timer, APIs that we proposed to have in ShadowRealm have this dependency. I'm not sure about queueMicrotask; at first glance it seems that it only depends on having a current execution stack, not an event loop, but we'd need to verify that. |
|
Given that |
|
The point raised by Anne and Domenic in this thread isn't objecting to timing facilities being accessible inside ShadowRealm. There is The problem with Anne and Domenic point out that worklets don't have an event loop, so if you create a ShadowRealm inside a worklet, it cannot have
(1) seems not feasible at this time, like it would require making the dependency on the event loop optional in |
|
While that's true and I agree with your analysis of 1 and 3, I think that 2 will be far more ergonomic and intuitive to developers than 4, since in 4 they'll have to pass it in manually in most cases anyways. |
The one I'm curious about in worklets is |
We don't have to agree on this, but I have different priorities there — I think doing 1 some time in the future is the only really ergonomic solution. None of the others are really my first choice, to be honest. I find 2 more of a short-term win, but has the disadvantage that when you import some code that uses ShadowRealm and setTimeout, it might not work depending on which realm you import it into. So library authors will have to code defensively and not use setTimeout anyway, or ask consumers to pass it in like in 4. I agree with you that 4 is probably going to go against developers' intuition in the short-term, but at least if you have to pass in setTimeout yourself, you'll easily identify the problem if the principal realm you're working in has no setTimeout. So I think it has better debuggability, which I tend to value highly. |
|
Update: igalia has reverted the changes for timers (whatwg/html@1edd30b) and closed the PR for AbortSignal.timeout (whatwg/dom#1253). That put us back to square one with respect to this issue. It looks like we are in agreement to continue pursuing Exposed=*, which means there will be no setTimeout & co in SR for now. Once whatwg/html#10136 is resolved, we can reassess this in the future to try to have a version of the option 1 described above to make it more ergonomic for developers. @annevk @domenic how do you feel about this outcome? can we close this and move on? |
|
Yeah, if no other APIs were added with similar dependencies we should be okay. |
|
Trying to solve #401, I've made a proposal for this in w3ctag/design-principles#509. It explicitly says that APIs depending on an event loop should not be annotated with |
|
Given the positive comments on w3ctag/design-principles#509, I think the event loop question is clear. We'll keep |
whatwg/dom#1253 suggests that in order to be a global you now need to support an event loop. When we started out with this that's not what ShadowRealms would imply. And in fact it would be the APIs we could imagine each global to support.
I wonder if this means we should simply give them their own Exposed value and add that in various places.
Correct me if I'm wrong, but I don't think all worklets have an event loop for instance.
cc @domenic @littledan @Ms2ger @ptomato
The text was updated successfully, but these errors were encountered: