That's also the case for invalid LHS on assignment, e.g. `lhs() = 5`, which should be an early error but for web compat we make it a runtime error.
Overall, this could be something we expose, but: 1. There's a couple of additional complications around JS standards incompatible errors (like the two aforementioned ones), some of which are intentional 2. There's the rule-of-2 violation 3. This breaks streaming compilation (since the full body of the resource has to be available for parsing before it is sent to the renderer) 4. Parsing JS ain't cheap, and doing so as part of the network process, presumably before sending anything to the renderer, is quite a cost 5. We don't have a way of distinguishing valid JS from valid JSON during parse, so we'd effectively need to parse twice 6. Standards can change, and syntax can change with it, so whether or not something is blocked will be version dependent 7. The DX of blocking a script just because of a parse error may be suboptimal On Thu, Aug 12, 2021 at 9:37 AM 'Mathias Bynens' via v8-dev < [email protected]> wrote: > Another complication is that V8 currently doesn’t throw early (“parse”) > errors for regular expression literals (issue 896 > <https://bugs.chromium.org/p/v8/issues/detail?id=896>). This would have > to be resolved before we can accurately validate whether a given input is > valid JS or not. > > On Thu, Aug 12, 2021 at 9:31 AM 'Hannes Payer' via v8-dev < > [email protected]> wrote: > >> Hi Lukasz, >> >> To understand your question correctly: You want an API which returns true >> if the JavaScript input is valid, right? >> >> I think this surgery should be possible but I am deferring to the parser >> owners. @Leszek Swirski <[email protected]> @Toon Verwaest >> <[email protected]> WDYT? Maybe that's even a nice testing mode for JS >> language features. >> >> The parser is quite complicated which is a problem from a security >> perspective. That's a Rule-of-2 violation. >> >> -Hannes >> >> On Wed, Aug 11, 2021 at 9:21 PM 'Łukasz Anforowicz' via v8-dev < >> [email protected]> wrote: >> >>> Hello v8-dev@, >>> >>> Could you please help me with my questions below (related to parsing >>> Javascript)? Please let me know if I should try another email alias >>> instead (I wasn't quite sure where to start asking questions). >>> >>> Context: >>> >>> - ORB proposes <https://github.com/annevk/orb> to parse a HTTP >>> response body to verify if it can be parsed as Javascript (blocking >>> no-cors >>> HTTP responses if the response body doesn't represent Javascript, because >>> earlier ORB steps have already verified that the response doesn't >>> represent >>> other valid no-cors scenarios like audio/image/video/stylesheet/etc). >>> - AFAICT, public v8 APIs provide a way to compile a script >>> (e.g. v8::ScriptCompiler::CompileUnboundScript which takes a string as >>> input, and a v8::ScriptCompiler::StartStreaming which takes a stream as >>> input). OTOH, v8/src/parsing/parser.cc doesn't seem to be exposed via >>> the >>> public API. >>> >>> Questions: >>> >>> - *Would it be possible and/or reasonable to provide a public v8 API >>> for checking if a stream can be parsed as Javascript?* >>> - Assumption: No cache integration is needed (the parsing will >>> happen outside of a renderer process; no compilation will be done). >>> - Requirement: For JSON, the parser should indicate that this is >>> not a valid Javascript (e.g. for JSON objects + for JSON lists that >>> terminate without invoking any list methods) >>> - I am happy to tackle this work, but I may need some guidance >>> and hand-holding regarding some of the details. >>> - *Is it fair to describe Javascript parsing as risky from a >>> security perspective?* (e.g. something to avoid in a NetworkService >>> process and consider doing in a Utility process instead) >>> - On one hand, the input is a text stream (no binary offsets) and >>> the output is just a boolean (definitely-not-a-Javascript VS >>> the-prefix-still-parses-as-Javascript). And I imagine that the >>> essence of >>> the parser just mechanically transcribes the BNF rules for Javascript. >>> OTOH, parsers can get fairly complex, and so it seems that the act of >>> parsing might be seen as violating the Rule-of-2 >>> >>> <https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/rule-of-2.md> >>> . >>> >>> -- >>> Thanks, >>> >>> Lukasz >>> >>> -- >>> -- >>> v8-dev mailing list >>> [email protected] >>> http://groups.google.com/group/v8-dev >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "v8-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/v8-dev/d4dd45ff-3b73-4d4b-883d-d2e8ba4123e7n%40googlegroups.com >>> <https://groups.google.com/d/msgid/v8-dev/d4dd45ff-3b73-4d4b-883d-d2e8ba4123e7n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> >> >> Hannes Payer | V8 | Google Germany GmbH | Erika-Mann Str. 33, 80636 >> München >> >> Registergericht und -nummer: Hamburg, HRB 86891 | Sitz der Gesellschaft: >> Hamburg | Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle >> >> -- >> -- >> v8-dev mailing list >> [email protected] >> http://groups.google.com/group/v8-dev >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/v8-dev/CAKEgpyHrQ8tzyh%3D3RF58ww9bXbSZ%2BFO9ukGodgJcdb_tHom%3DXA%40mail.gmail.com >> <https://groups.google.com/d/msgid/v8-dev/CAKEgpyHrQ8tzyh%3D3RF58ww9bXbSZ%2BFO9ukGodgJcdb_tHom%3DXA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > -- > v8-dev mailing list > [email protected] > http://groups.google.com/group/v8-dev > --- > You received this message because you are subscribed to the Google Groups > "v8-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/v8-dev/CADizRgbND4szVdtmoUqTSwvr%3DduwB9SANRN8tAysxa9kONsHLA%40mail.gmail.com > <https://groups.google.com/d/msgid/v8-dev/CADizRgbND4szVdtmoUqTSwvr%3DduwB9SANRN8tAysxa9kONsHLA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CAGRskv9jhWgPAqjiTvWuy0JCyLAgdYS_9PKgg-5bAqpuKyp81Q%40mail.gmail.com.
