29438 – JSON.stringify as invoked by wrapKey can have side-effects depending on what you pass it

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 29438 - JSON.stringify as invoked by wrapKey can have side-effects depending on what you pass it

Summary: JSON.stringify as invoked by wrapKey can have side-effects depending on what ...

Status:	RESOLVED MOVED

Alias:	None

Product:	Web Cryptography
Classification:	Unclassified
Component:	Web Cryptography API Document (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P2 normal
Target Milestone:	---
Assignee:	Mark Watson
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-02-08 22:23 UTC by Boris Zbarsky
Modified:	2016-05-24 00:44 UTC (History)
CC List:	3 users (show)

See Also:

Attachments

Description Boris Zbarsky 2016-02-08 22:23:37 UTC

The spec says:

  Let json be the result of representing key as a UTF-16 string conforming to the
  JSON grammar; for example, by executing the JSON.stringify algorithm specified
  in ECMA262.

This needs to clearly define where the objects passed to JSON.stringify are coming from, because JSON.stringify will do things like get .toJSON properties and call them, so if the objects come from the page global and someone defines a .toJSON on Object.prototype in the page, that will get invoked during this process.  Maybe the intent is that there be no observable side-effects; in that case the behavior needs to be clearly specified so as to avoid them.

Comment 1 Ryan Sleevi 2016-02-08 23:11:15 UTC

Assigning to Mark; Adding Harry and Virginie on a process point if Bugzilla or GitHub should be used and what should be done to the old links (in the TR directory)

Yes, the intent is no observable effects, and I agree, this is a defect. Do you have suggestions on how to make that unambiguous?

Comment 2 Boris Zbarsky 2016-02-09 01:38:56 UTC

What Gecko does in practice right now is that it converts the dictionary to a JS object in a new clean global, then does JSON.stringify on the result.  Since the global has clean prototypes and none of the dictionary members in this case have names that have any special meaning to the JSON.stringify algorithm this works out to no observable effects, I believe...

Another option would be a modified version of JSON.stringify with http://www.ecma-international.org/ecma-262/6.0/#sec-serializejsonproperty step 3 skipped.  I _think_ that this is sufficient to make things non-observable as well, and equivalent to the clean-global approach.  Would need careful checking.

Comment 3 Harry Halpin 2016-02-09 20:16:34 UTC

(In reply to Ryan Sleevi from comment #1)
> Assigning to Mark; Adding Harry and Virginie on a process point if Bugzilla
> or GitHub should be used and what should be done to the old links (in the TR
> directory)

My guess is that we should just migrate everything to Github. We could use this as a good exercise in checking to make sure all the bugs that are still open have a closed state or at least are re-activated as we are going to make a another push on the spec. 

If someone (hint hint) wants to do that, that, this would be grand. Otherwise, I can do it over the weekend.


> 
> Yes, the intent is no observable effects, and I agree, this is a defect. Do
> you have suggestions on how to make that unambiguous?

Comment 4 Mark Watson 2016-05-24 00:44:16 UTC

Moved to https://github.com/w3c/webcrypto/issues/88