Hello v8-dev@, Could you please help me with my questions below (related to parsing Javascript)? Please let me know if I should try another email alias instead (I wasn't quite sure where to start asking questions).
Context: - ORB proposes <https://github.com/annevk/orb> to parse a HTTP response body to verify if it can be parsed as Javascript (blocking no-cors HTTP responses if the response body doesn't represent Javascript, because earlier ORB steps have already verified that the response doesn't represent other valid no-cors scenarios like audio/image/video/stylesheet/etc). - AFAICT, public v8 APIs provide a way to compile a script (e.g. v8::ScriptCompiler::CompileUnboundScript which takes a string as input, and a v8::ScriptCompiler::StartStreaming which takes a stream as input). OTOH, v8/src/parsing/parser.cc doesn't seem to be exposed via the public API. Questions: - *Would it be possible and/or reasonable to provide a public v8 API for checking if a stream can be parsed as Javascript?* - Assumption: No cache integration is needed (the parsing will happen outside of a renderer process; no compilation will be done). - Requirement: For JSON, the parser should indicate that this is not a valid Javascript (e.g. for JSON objects + for JSON lists that terminate without invoking any list methods) - I am happy to tackle this work, but I may need some guidance and hand-holding regarding some of the details. - *Is it fair to describe Javascript parsing as risky from a security perspective?* (e.g. something to avoid in a NetworkService process and consider doing in a Utility process instead) - On one hand, the input is a text stream (no binary offsets) and the output is just a boolean (definitely-not-a-Javascript VS the-prefix-still-parses-as-Javascript). And I imagine that the essence of the parser just mechanically transcribes the BNF rules for Javascript. OTOH, parsers can get fairly complex, and so it seems that the act of parsing might be seen as violating the Rule-of-2 <https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/rule-of-2.md> . -- Thanks, Lukasz -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/d4dd45ff-3b73-4d4b-883d-d2e8ba4123e7n%40googlegroups.com.
