Provide some way to access the `globalThis` of the caller realm

In order to fully implement the semantics of perform a security check in WebIDL2JS for use in JSDOM, it‚Äôs necessary to be able to get the realm of the caller.

I propose to extend FunctionDeclarationInstantiation with:

9.2.10 FunctionDeclarationInstantiation ( func, argumentsList )

  1. If argumentsObjectNeeded is true, then
    1. Let callerContext be the second to top element of the execution context stack.
    2. Let callerRealm be callerContext's Realm.
    3. Perform ! DefinePropertyOrThrow(ao, "callerGlobal", PropertyDescriptor { [[Value]]: callerRealm.[[GlobalEnv]].[[GlobalThisValue]], [[Writable]]: true, [[Enumerable]]: false, [[Configurable]]: true }).
    4. Call env.InitializeBinding("arguments", ao).

This would add a non‚ÄĎenumerable callerGlobal property to the arguments object, which refers to the globalThis of the caller, making it possible to implement perform a security check in JavaScript.

An option would be to only do that if func has the [[CaptureCallerGlobal]] internal slot set to true, which would be done by the @captureCallerGlobal built‚ÄĎin decorator.

Isn't this a security problem? For sandboxes

We have generally been trying to remove ways for functions to introspect on their caller. I don't think it would be a good idea to add a new one.

Also, as a general matter, is there more motivation than "there is one algorithm in the HTML standard which is not implementable in pure JS"? I don't think that alone would be a sufficient reason to add this.

1 Like