endojs · erights · Mar 1, 2021 · Feb 28, 2021 · Feb 28, 2021 · Feb 28, 2021
diff --git a/packages/ses/NEWS.md b/packages/ses/NEWS.md
@@ -25,6 +25,17 @@ User-visible changes in SES:
   passed through to the underlying `JSON.stringfiy`. Passing in a space or
   two spaces makes the output much more readable using indentation and other
   whitespace, but takes multiple lines.
+* The "SES Demo Console" and "SES Challenge" have been fixed to work with
+  modern SES. Both now run in browsers, though these are not yet hosted
+  for visiting as an external web page.
+* We no longer enable overriding `Object.prototype.constructor` by assigning
+  to the `constructor` property of a derived object. We were enabling it
+  due to a bug in acorn 7, since fixed in acorn 8. To enable it, we were
+  making `Object.prototype.constructor` into an accessor property, which
+  confused the Node debugger, causing annoying extra noise in the console
+  output. Now that we've worked around our acorn problem (currently with
+  a patch) we have stopped enabling this assignment, and so stopped
+  confusing the Node debugger.
 
 ## Release 0.12.2 (5-Feb-2021)
 

diff --git a/packages/ses/demos/challenge/index.html b/packages/ses/demos/challenge/index.html
@@ -82,7 +82,8 @@ <h2>Sample Attacks:</h2>
         <li><button id="sample-counter" type="button">Counter</button></li>
         <li><button id="sample-timing" type="button">Timing Side-Channel</button></li>
       </ul>
-      <p>(<a href="https://github.com/Agoric/ses-shim/tree/master/apps/challenge">challenge source code</a>)</p>
+      <p>(<a href="https://github.com/Agoric/SES-shim/tree/master/packages/ses/demos/challenge">challenge source code</a>)</p>
+      <script src="../../dist/lockdown.umd.js"></script>
       <script src="main.js"></script>
     </body>
-  </html>
+  </html>
diff --git a/packages/ses/demos/challenge/main.js b/packages/ses/demos/challenge/main.js
@@ -17,28 +17,24 @@
 //   limit attacker to some finite number of calls per go()
 //   framework updates UI (with setTimeout(0)), then calls go() again
 
-import('../../dist/ses.esm.js').then(({ lockdown }) => {
+lockdown();
+{
   console.log('starting');
 
   // Helpers
 
-  function $(selector) {
-    return document.querySelector(selector);
-  }
-  // function $$(selector) {
-  //   return document.querySelectorAll(selector);
-  // }
+  const $ = selector => document.querySelector(selector);
 
   // ********************
-  // 1. We build the SES Realm.
+  // 1. Should we endow the real `Date`?
   // ********************
 
-  const dateTaming = window.location.search.includes('dateNow=enabled')
-    ? 'unsafe'
-    : 'safe';
-  $('#dateNowStatus').textContent =
-    dateTaming === 'unsafe' ? 'Date.now() enabled' : 'Date.now() returns NaN';
-  lockdown({ dateTaming });
+  const urlsp = new URLSearchParams(window.location.search);
+  const nowEnabled = urlsp.get('dateNow') === 'enabled';
+  const dateEndowment = nowEnabled ? { Date } : {};
+  $('#dateNowStatus').textContent = nowEnabled
+    ? 'Date.now() enabled'
+    : 'Date.now() disabled';
 
   // ********************
   // 2. We prepare APIs for the defender code.
@@ -149,15 +145,8 @@ import('../../dist/ses.esm.js').then(({ lockdown }) => {
     return true;
   }
 
-  const tamedConsole = {
-    log() {
-      return console.log();
-    },
-  };
-
-  harden(tamedConsole);
   harden(guess);
-  const compartent = new Compartment({ console: tamedConsole, guess });
+  const compartent = new Compartment({ console, guess, ...dateEndowment });
 
   function submitProgram(program) {
     // the attacker's code will be submitted here. We expect it to be a
@@ -297,6 +286,6 @@ import('../../dist/ses.esm.js').then(({ lockdown }) => {
   });
 
   console.log('loaded');
-});
+}
 
 /* eslint-enable no-plusplus */
diff --git a/packages/ses/demos/console/index.html b/packages/ses/demos/console/index.html
@@ -1,12 +1,12 @@
 <html>
   <head>
     <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
-    <title>SES Console</title>
+    <title>SES Demo Console</title>
     <link href="style.css" rel="stylesheet" type="text/css" />
 
   </head>
   <body>
-    <h1>SES Console</h1>
+    <h1>SES Demo Console</h1>
     <label>Input:</label>
     <br/>
     <textarea id="input" rows="25" cols="80">
@@ -18,9 +18,9 @@ <h1>SES Console</h1>
     const x = 0;
     const c1 = new Compartment({ x: 1 });
     const c2 = new Compartment({ x: 2 });
-    
-    const x1 = c1.evaluate('(x)');
-    const x2 = c2.evaluate('(x)');
+
+    const x1 = c1.evaluate('x');
+    const x2 = c2.evaluate('x');
     /**
     * This line below will output 3 values to demonstrate that
     * x has a different value in every context:
@@ -29,7 +29,7 @@ <h1>SES Console</h1>
     * - 2 in compartment #2
     */
     ({ x, x1, x2 })
-    
+
     </textarea>
     <br />
     <button id="execute">Execute</button>
@@ -43,6 +43,7 @@ <h1>SES Console</h1>
       Note: you can look in the console to inspect the original output of the evaluation.
       </small>
     </p>
+    <script src="../../dist/lockdown.umd.js"></script>
     <script src="main.js"></script>
   </body>
-</html>
+</html>
diff --git a/packages/ses/demos/console/main.js b/packages/ses/demos/console/main.js
@@ -1,6 +1,8 @@
 /* globals document */
-import('../../dist/ses.esm.js').then(({ lockdown }) => {
-  lockdown();
+
+lockdown();
+{
+  const { quote: q } = assert;
 
   const $ = selector => document.querySelector(selector);
 
@@ -9,34 +11,27 @@ import('../../dist/ses.esm.js').then(({ lockdown }) => {
   const input = $('#input');
   const output = $('#output');
 
-  const compartment = new Compartment();
+  // Under the default `lockdown` settings, it is safe enough
+  // to endow with the safe `console`.
+  const compartment = new Compartment({ console });
 
   execute.addEventListener('click', () => {
     const sourceText = input.value;
     let result;
     let outputText;
     try {
       result = compartment.evaluate(sourceText);
-      switch (typeof result) {
-        case 'function':
-          outputText = result.toString();
-          break;
-        case 'object':
-          outputText = JSON.stringify(result);
-          break;
-        default:
-          outputText = `${result}`;
-      }
+      console.log(result);
+      outputText = `${q(result, '  ')}`;
     } catch (e) {
-      outputText = `${e}`;
+      console.log('threw', e);
+      outputText = `threw ${q(e)}`;
     }
-
-    console.log(result);
     output.value = outputText;
   });
 
   clear.addEventListener('click', () => {
     input.value = '';
     output.value = '';
   });
-});
+}
diff --git a/packages/ses/demos/index.html b/packages/ses/demos/index.html
@@ -8,11 +8,11 @@
     <h1>SES Demos</h1>
     <ul>
       <li>
-        <a href="./console">SES Console</a>: a REPL to help you debug code running in SES.
+        <a href="./console">SES Demo Console</a>: a REPL to help you debug code running in SES.
       </li>
       <li>
         <a href="./challenge">SES Challenge</a>: try to break out of SES and read a secret!
       </li>
     </ul>
   </body>
-</html>
+</html>