Control, Safety, Performance?

[brandon942]

It creates a new copy of the built-ins from ECMAScript.

Does this proposal not take away control from the host (website owner) over what 3rd party scripts do?
Sharing the same context is very much desirable in almost all cases. Scripts "stepping on each other's feet" has not been an issue to my knowledge.
By wrapping APIs the host has visibility and control over which APIs are used and how they are used by subsequent scripts.
This proposal takes this control away and enables 3rd party scripts to hide and protect potentially undesired or malicious activity from the host.
I don't see how anyone but malicious actors benefit from this proposal.

Another issue is performance. If all frameworks see themselves encouraged to start using their own realm which comes at a memory and performance cost instead of sharing a global one then it will downgrade the performance of all websites.

[ljharb]

iframes and vm already exist; the host doesn't have this control now.

[ptomato]

If you don't want third-party scripts to be able to use ShadowRealm, then you can simply remove the capability before loading them: delete globalThis.ShadowRealm

Scripts "stepping on each other's feet" has not been an issue to my knowledge.

It seems to be a fairly common problem in large organizations with large codebases.

enables 3rd party scripts to hide and protect potentially undesired or malicious activity from the host.

The flip side is that malicious activity arising from 3rd party code tinkering with your builtins is neutralized, because that tinkering can't escape the ShadowRealm.

But anyway, you can continue to monitor which APIs are used by 3rd party scripts that you run in a ShadowRealm; just run them in a ShadowRealm that you have pre-prepared to notify you of usages that you are interested in.

For example (off the top of my head), something like this for monitoring queueMicrotask:

realm.evaluate(```(notify) => {
  const realQueueMicrotask = queueMicrotask;
  Object.defineProperty(globalThis, 'queueMicrotask', {
    get() {
      notify('queueMicrotask');
      return realQueueMicrotask;
    }
  });
}```)((api) => alert(`script used ${api}`));
realm.importValue('./3rdparty.js', 'entryPoint');