29438 2016-02-08 22:23:37 +0000 JSON.stringify as invoked by wrapKey can have side-effects depending on what you pass it 2016-05-24 00:44:16 +0000 1 1 1 Unclassified Web Cryptography Web Cryptography API Document unspecified PC All RESOLVED MOVED P2 normal --- 1 bzbarsky watsonm hhalpin public-webcrypto virginie.galindo oldest_to_newest 124917 0 bzbarsky 2016-02-08 22:23:37 +0000 The spec says: Let json be the result of representing key as a UTF-16 string conforming to the JSON grammar; for example, by executing the JSON.stringify algorithm specified in ECMA262. This needs to clearly define where the objects passed to JSON.stringify are coming from, because JSON.stringify will do things like get .toJSON properties and call them, so if the objects come from the page global and someone defines a .toJSON on Object.prototype in the page, that will get invoked during this process. Maybe the intent is that there be no observable side-effects; in that case the behavior needs to be clearly specified so as to avoid them. 124918 1 sleevi 2016-02-08 23:11:15 +0000 Assigning to Mark; Adding Harry and Virginie on a process point if Bugzilla or GitHub should be used and what should be done to the old links (in the TR directory) Yes, the intent is no observable effects, and I agree, this is a defect. Do you have suggestions on how to make that unambiguous? 124922 2 bzbarsky 2016-02-09 01:38:56 +0000 What Gecko does in practice right now is that it converts the dictionary to a JS object in a new clean global, then does JSON.stringify on the result. Since the global has clean prototypes and none of the dictionary members in this case have names that have any special meaning to the JSON.stringify algorithm this works out to no observable effects, I believe... Another option would be a modified version of JSON.stringify with http://www.ecma-international.org/ecma-262/6.0/#sec-serializejsonproperty step 3 skipped. I _think_ that this is sufficient to make things non-observable as well, and equivalent to the clean-global approach. Would need careful checking. 124940 3 hhalpin 2016-02-09 20:16:34 +0000 (In reply to Ryan Sleevi from comment #1) > Assigning to Mark; Adding Harry and Virginie on a process point if Bugzilla > or GitHub should be used and what should be done to the old links (in the TR > directory) My guess is that we should just migrate everything to Github. We could use this as a good exercise in checking to make sure all the bugs that are still open have a closed state or at least are re-activated as we are going to make a another push on the spec. If someone (hint hint) wants to do that, that, this would be grand. Otherwise, I can do it over the weekend. > > Yes, the intent is no observable effects, and I agree, this is a defect. Do > you have suggestions on how to make that unambiguous? 126548 4 watsonm 2016-05-24 00:44:16 +0000 Moved to https://github.com/w3c/webcrypto/issues/88