{"version":3,"file":"lockdown-more.cjs","sourceRoot":"","sources":["../../../src/common/lockdown/lockdown-more.ts"],"names":[],"mappings":";AAAA,qFAAqF;AACrF,mEAAmE;;;AAEnE,uDAAiD;AAEjD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAgB,mBAAmB;IACjC,gEAAgE;IAChE,oDAAoD;IACpD,gEAAgE;IAChE,oBAAoB;IACpB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,WAAW,EAAE,CAAC,UAAU,CAAC,CAAC;QAEtE,sEAAsE;QACtE,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAkB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;QAE5E,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;YAC/B,yEAAyE;YACzE,oEAAoE;YACpE,8CAA8C;YAC9C,GAAG,eAAe;YAElB,gDAAgD;YAChD,sDAAsD;YACtD,8BAA8B;SAC/B,CAAC,CAAC;QAEH,gBAAgB,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,EAAE;YACxC,MAAM,UAAU,GAAG,OAAO,CAAC,wBAAwB,CACjD,UAAU,EACV,YAAY,CACb,CAAC;YAEF,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,UAAU,CAAC,YAAY,EAAE,CAAC;oBAC5B,yDAAyD;oBACzD,mEAAmE;oBACnE,gBAAgB;oBAChB,IAAI,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC;wBAC5B,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,YAAY,EAAE;4BAC9C,YAAY,EAAE,KAAK;yBACpB,CAAC,CAAC;oBACL,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,YAAY,EAAE;4BAC9C,YAAY,EAAE,KAAK;4BACnB,QAAQ,EAAE,KAAK;yBAChB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,IAAI,oBAAoB,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC3C,MAAM,CAAE,UAAkB,CAAC,YAAY,CAAC,CAAC,CAAC;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAA,sBAAQ,EAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;QACjD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAtDD,kDAsDC;AAED;;;;;;;;;GASG;AACH,SAAS,WAAW,CAAC,UAAe;IAClC,OAAO,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,UAAU,CAAC;AACpD,CAAC","sourcesContent":["// eslint-disable-next-line @typescript-eslint/triple-slash-reference, spaced-comment\n/// <reference path=\"../../../../../node_modules/ses/types.d.ts\" />\n\nimport { logError } from '@metamask/snaps-utils';\n\n/**\n * The SES `lockdown` function only hardens the properties enumerated by the\n * universalPropertyNames constant specified in 'ses/src/whitelist'. This\n * function makes all function and object properties on the start compartment\n * global non-configurable and non-writable, unless they are already\n * non-configurable.\n *\n * It is critical that this function runs at the right time during\n * initialization, which should always be immediately after `lockdown` has been\n * called. At the time of writing, the modifications this function makes to the\n * runtime environment appear to be non-breaking, but that could change with\n * the addition of dependencies, or the order of our scripts in our HTML files.\n * Exercise caution.\n *\n * See inline comments for implementation details.\n *\n * We write this function in IIFE format to avoid polluting global scope.\n *\n * @throws If the lockdown failed.\n */\nexport function executeLockdownMore() {\n  // Make all \"object\" and \"function\" own properties of globalThis\n  // non-configurable and non-writable, when possible.\n  // We call a property that is non-configurable and non-writable,\n  // \"non-modifiable\".\n  try {\n    const namedIntrinsics = Reflect.ownKeys(new Compartment().globalThis);\n\n    // These named intrinsics are not automatically hardened by `lockdown`\n    const shouldHardenManually = new Set<symbol | string>(['eval', 'Function']);\n\n    const globalProperties = new Set([\n      // universalPropertyNames is a constant added by lockdown to global scope\n      // at the time of writing, it is initialized in 'ses/src/whitelist'.\n      // These properties tend to be non-enumerable.\n      ...namedIntrinsics,\n\n      // TODO: Also include the named platform globals\n      // This grabs every enumerable property on globalThis.\n      // ...Object.keys(globalThis),\n    ]);\n\n    globalProperties.forEach((propertyName) => {\n      const descriptor = Reflect.getOwnPropertyDescriptor(\n        globalThis,\n        propertyName,\n      );\n\n      if (descriptor) {\n        if (descriptor.configurable) {\n          // If the property on globalThis is configurable, make it\n          // non-configurable. If it has no accessor properties, also make it\n          // non-writable.\n          if (hasAccessor(descriptor)) {\n            Object.defineProperty(globalThis, propertyName, {\n              configurable: false,\n            });\n          } else {\n            Object.defineProperty(globalThis, propertyName, {\n              configurable: false,\n              writable: false,\n            });\n          }\n        }\n\n        if (shouldHardenManually.has(propertyName)) {\n          harden((globalThis as any)[propertyName]);\n        }\n      }\n    });\n  } catch (error) {\n    logError('Protecting intrinsics failed:', error);\n    throw error;\n  }\n}\n\n/**\n * Checks whether the given propertyName descriptor has any accessors, i.e. the\n * properties `get` or `set`.\n *\n * We want to make globals non-writable, and we can't set the `writable`\n * property and accessor properties at the same time.\n *\n * @param descriptor - The propertyName descriptor to check.\n * @returns Whether the propertyName descriptor has any accessors.\n */\nfunction hasAccessor(descriptor: any): boolean {\n  return 'set' in descriptor || 'get' in descriptor;\n}\n"]}