Tragedy or Hope in the Commons: The Race for JavaScript Prototype Override

JavaScript is a language of freedom. A defining feature of this freedom is the ability to override built-in prototypes. JavaScript also becomes a commons especially in the browser. It's a shared space where your application code, its dependencies, and even parts of browser extensions all co-exist within the same context. And, yes, malicious attackers also live there. In this commons, a constant struggle is happening between these stakeholders to override prototypes.

This session explores the forefront of this high-stakes game from three perspectives: the ecosystem, the attack/defense techniques, and the web standards. Can we ever achieve a state of harmony in this commons? The answer isn't clear yet. But that's why we should discuss it at JSConf :)

Outline

• Ecosystem: Competing Motivations for Overriding Prototypes
• A Contested Ground: Techniques for Attack and Defense
  • Techniques for overwriting prototypes.
  • Methods of defending against it.
  • How to bypass those defenses.
  • More stealth modification tactics.
• No Silver Bullet: A Look at Specifications Tackling This Issue
  • Object.freeze is too strong
  • ShadowRealm is not enough
  • SES is ongoing
• Case Study 1: Information Theft From An Extension via Prototype Pollution
• Case Study 2: How MetaMask Uses Endo
• The Future: How should we go along with this freedom?
  • Can We or Should We Get Access to Native Prototypes?: Lessons from debate for "use initial" directive
  • What about outside of JS?: Proposal for CSP, debugging feature, etc.