[Bug 29438] New: JSON.stringify as invoked by wrapKey can have side-effects depending on what you pass it from bugzilla@jessica.w3.org on 2016-02-08 (public-webcrypto@w3.org from February 2016)

From: <bugzilla@jessica.w3.org>
Date: Mon, 08 Feb 2016 22:23:37 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-29438-7213@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=29438

            Bug ID: 29438
           Summary: JSON.stringify as invoked by wrapKey can have
                    side-effects depending on what you pass it
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: bzbarsky@mit.edu
                CC: public-webcrypto@w3.org
  Target Milestone: ---

The spec says:

  Let json be the result of representing key as a UTF-16 string conforming to
the
  JSON grammar; for example, by executing the JSON.stringify algorithm
specified
  in ECMA262.

This needs to clearly define where the objects passed to JSON.stringify are
coming from, because JSON.stringify will do things like get .toJSON properties
and call them, so if the objects come from the page global and someone defines
a .toJSON on Object.prototype in the page, that will get invoked during this
process.  Maybe the intent is that there be no observable side-effects; in that
case the behavior needs to be clearly specified so as to avoid them.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Monday, 8 February 2016 22:23:40 UTC