Change theme
Help
Press space for more information.
Show links for this issue (Shortcut: i, l)
Copy issue ID
Previous Issue (Shortcut: k)
Next Issue (Shortcut: j)
Sign in to use full features.
Vote: I am impacted
Notification menu
Refresh (Shortcut: Shift+r)
Go home (Shortcut: u)
Pending code changes (auto-populated)
[ID: 1223031]
Blink>JavaScript
Supplemental component tags only. Set main component first. [ID: 1222907]
[ID: 1223136]
Design doc to be reviewed. [ID: 1223032]
[ID: 1223087]
[ID: 1223134]
Milestone(s) impacted by this issue. [ID: 1223085]
[ID: 1223084]
[ID: 1223086]
[ID: 1223034]
Link to incidents in IRM as a result of this ticket. [ID: 1300460]
[ID: 1223088]
This field contains Gerrit urls of code changes that ‘fix’ a security bug (i.e., excluding logging/cleanup commits) and is used when a singular fix cannot be uniquely identified from the existing “Code Changes” field. The change can be in the chromium repo or any other third_party repo. [ID: 1358989]
[ID: 1305533]
Blink
[ID: 1253656]
View issue level access limits(Press Alt + Right arrow for more information)
Unintended behavior
View staffing
Estimated effort
Description
Steps to reproduce the problem
isProxy(new Proxy({}, {}))(it will printtrue).Problem Description
Chrome's stack trace inadvertently exposes a presence of Proxy. Proxy is supposed to be transparent in most scenario, but Chrome's specific implementation of stack trace API (which is not a part of the specification) provides an easy way of detecting whether an object is a Proxy or not.
When a stack frame is a method call, Chrome tries to infer the type name of thehttps://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/call-site-info.cc;drc=304476fc888332d14c19ecc697414b5d29a55d97;l=519 ).
thisvalue of the frame, atCallSiteInfo::GetTypeName(seeWhen it encounters a Proxy, it gives up too easily and simply return
Proxy. As a result, a stack trace from an error thrown fromthrowError.call(obj);in the above code becomes:From this, one can easily create a helper function that very reliably detects a Proxy.
While there are various cases where Proxy can't fully emulate certain types of objects, mostly due to the inability to proxy "internal slots", there isn't a generic way to detect any proxies, as far as I am aware of, except for this Chrome stack trace exploit.
I suppose this loophole can easily be plugged, by doing a little bit of more work in stack trace generation and try to get the type name of a Proxy from its original object that is being proxied. It appears that Chrome is taking some care not to execute user code during such stack trace generation, and getting an original object from a Proxy could be done in such a way.
Summary
Chrome's error stack traces exposes Proxies to user codes.
Custom Questions
Which component does this fall under?
Not sure - I don't know
Does this work in other browsers?
Yes - This is just a Chrome problem
Additional Data
Category: JavaScript
Chrome Channel: Stable
Regression: N/A