JSConf JP

Tragedy or Hope in the Commons: The Race for JavaScript Prototype Override

SessionTrack BEnglish

JavaScript is a language of freedom. A defining feature of this freedom is the ability to override built-in prototypes. JavaScript also becomes a commons especially in the browser. It's a shared space where your application code, its dependencies, and even parts of browser extensions all co-exist within the same context. And, yes, malicious attackers also live there. In this commons, a constant struggle is happening between these stakeholders to override prototypes.

This session explores the forefront of this high-stakes game from three perspectives: the ecosystem, the attack/defense techniques, and the web standards. Can we ever achieve a state of harmony in this commons? The answer isn't clear yet. But that's why we should discuss it at JSConf :)

Outline

  • Ecosystem: Competing Motivations for Overriding Prototypes
  • A Contested Ground: Techniques for Attack and Defense
    • Techniques for overwriting prototypes.
    • Methods of defending against it.
    • How to bypass those defenses.
    • More stealth modification tactics.
  • No Silver Bullet: A Look at Specifications Tackling This Issue
    • Object.freeze is too strong
    • ShadowRealm is not enough
    • SES is ongoing
  • Case Study 1: Information Theft From An Extension via Prototype Pollution
  • Case Study 2: How MetaMask Uses Endo
  • The Future: How should we go along with this freedom?
    • Can We or Should We Get Access to Native Prototypes?: Lessons from debate for "use initial" directive
    • What about outside of JS?: Proposal for CSP, debugging feature, etc.