Node.js adds a property called `domain` to promises
See original GitHub issueMark and I noticed that Node.js adds a property called domain
to promises while running something from a REPL in SwingSet.
Mark says that domain
leads to all sorts of objects whose semantics we haven’t inspected for safety. This is an authority leak. If SES can’t remove the domain property from all promises before the promise is exposed to user code, then this is a severe authority leak for SES as run on Node.js. Fortunately it seems to only be a problem when code is run from a REPL.
[edit 2020-09-15 @kriskowal]
SES will not be secure on Node.js until we have the means to disable domains
. We must work with the Node.js project to reveal a command-line flag or the moral equivalent.
Issue Analytics
- State:
- Created 4 years ago
- Comments:32 (15 by maintainers)
Top Results From Across the Web
Domain | Node.js v19.3.0 Documentation
Any Promise s created in VM contexts no longer have a .domain property. Their handlers are still executed in the proper domain, however,...
Read more >NodeJS - Why current domain is undefined in Promise?
According to Node.js documentation module "domain" is deprecated with stability level 0. Better handle errors in another way ...
Read more >Guide to promises in Node.js - LogRocket Blog
Promises are generally created by calling a Promise constructor, which accepts a single callback function as an argument. The callback function, ...
Read more >AWS Lambda function handler in Node.js
The third argument, callback , is a function that you can call in non-async handlers to send a response. The callback function takes...
Read more >JavaScript developer reference for Azure Functions
As an Express.js, Node.js, or JavaScript developer, if you're new to ... The name property defined in function.json doesn't need to match ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
One of the implicit albeit soft requirements is to avoid coupling SES to any particular module system. Currently, the same source works in a browser script, CJS, and ESM, since it’s just presenting its API as mutations to the global scope. This keeps the build system small and avoids initializing anything it doesn’t need.
I’m going to present a PR with the snippet above.
Now without caveats: