[whatwg/webidl] Can we change promise resolution behaviour to reduce security issues (Issue #1584) from Matthew Gaudet on 2026-03-27 (public-webapps-github@w3.org from March 2026)

From: Matthew Gaudet <notifications@github.com>
Date: Fri, 27 Mar 2026 10:38:27 -0700
To: whatwg/webidl <webidl@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/webidl/issues/1584@github.com>

mgaudet created an issue (whatwg/webidl#1584)

### What is the issue with the Web IDL Standard?

Hi WebIDL Maintainers, 

I'm working on [a proposal at TC39 right now](https://github.com/tc39/proposal-thenable-curtailment) (currently named Thenable Curtailment, but needs a better name eventually). The goal of this proposal is to enable consumers of ECM262 to handle 'thenables' with more safety. 

The current version of the proposal proposes adding an algorithm, currently named `MaybeDeferredPromiseResolve` which basically does the `PromiseResolve` steps, _unless the value being resolved is (or could be) a 'thenable'_, in which case it will stop the promise from resolving to any other values, but waits until the microtask queue is drained again to actually run the synchronous steps. 

The reason I've been pursuing this is that there's a number of security bugs which happen in web browsers when an algorithm resolves a promise with a value, which ends up unexpectedly running script due to `Object.protoytpe.then` causing any webIDL value to be able to trigger thenable behaviour after a native value is converted to a JS object.

I have [some evidence that this is plausibly 'mostly' web-compatible](https://github.com/tc39/proposal-thenable-curtailment/issues/7) (and am aware more detailed testing will be required). This proposal is now at Stage 2 of the TC39 process. I'm hoping that I can get interested parties to think in detail about places they could imagine this going wrong if we were to replace the [WebIDL resolve steps](https://webidl.spec.whatwg.org/#resolve) with MaybeDeferredPromiseResolve. 

This would have avoided a number of browser security vulnerabilities over the years, and I am reasonably convinced that something can be done to improve the browser security posture here, and hopefully with minimal breakage. It's notable that because of how 'thenables' are defined, it's relatively rare to see the deferral be needed, and I've not seen (yet!) any code which is doing this WebIDL resolve with the intention of doing sane things... basically, to a first approximation I've only ever seen the definition of `then` on Object.prototype or other IDL prototypes in exploit code. 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/webidl/issues/1584
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/webidl/issues/1584@github.com>

Received on Friday, 27 March 2026 17:38:31 UTC