Re: [whatwg/webidl] Can we change promise resolution behaviour to reduce security issues (Issue #1584) from Matthew Gaudet on 2026-03-27 (public-webapps-github@w3.org from March 2026)

From: Matthew Gaudet <notifications@github.com>
Date: Fri, 27 Mar 2026 12:28:30 -0700
To: whatwg/webidl <webidl@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/webidl/issues/1584/4144771784@github.com>

mgaudet left a comment (whatwg/webidl#1584)

Concretely it would be anything which uses the WebIDL resolve steps. The problem isn't so much that the IDL is actively 'wrong' so much as it is that it's very easy for implementations to not realize that resolving a promise runs script basically any time. 

If we made this change we actually could guarantee that resolving a promise never ran script at the cost of -some- promise reactions happening in later ticks. 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/webidl/issues/1584#issuecomment-4144771784
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/webidl/issues/1584/4144771784@github.com>

Received on Friday, 27 March 2026 19:28:34 UTC