Compartmentalization of host behavior hooks for JS.

Stage: 1


  • Bradley Farias, GoDaddy
  • Mark S. Miller, Agoric
  • Caridy Patiño, Salesforce
  • Jean-Francois Paradis, Salesforce
  • Patrick Soquet, Moddable
  • Kris Kowal, Agoric


Provide a mechanism to generate ECMAScript code that provides compartmentalized host behavior from other ECMAScript code.

This is extracting some desired behavior from the existing SES Proposal for generalized use.


ECMAScript has many environments in which it runs, and many behaviors are host driven. For a variety of use cases, the ability to alter the standard host behavior is desirable.

Some of these environments are build time instead of run time, such as bundling tool chains that override how things like import behavior. These are explicitly not creating an isolation of the object address space for JS and share the global with things using them.

Various efforts like JSDom, SES, and even testing frameworks seek to override host behaviors within Realms. In TC39 we sometimes refer to this as the ability to virtualize behavior.

Currently there is no standard way of virtualizing all behavior, nor of compartmentalizing behaviors to specific source text. By introducing a means to virtualize behaviors for source texts a variety of workflows are able to be created without relying on host specific APIs. Existing method often replace host driven APIs such as Date in various ways such as detached <iframes>, using CSP, Node.js's vm.createContext, XS's Compartments implementation, etc.

Historically, the SES proposal sought to achieve this behavior through isolation as a security boundary, but the utility of changing these behaviors is outside of purely security concerns. A large number of potential use cases lie purely in the ability to virtualize some host behavior.

Currently, things like changing the effective time zone, locale, or limiting the ability to eval code withing a source text is not possible in JS.TC39 in the past has seen desires to override specific host behaviors such as Zones in specific situations. This proposal seeks to provide a way to coordinate host behavior of such APIs in a generalized manner.

It seeks to do so in the following solution space:

  • without requiring separating the address space
  • without requiring an asynchronous messaging system
  • keeping shared intrinsics of source texts
  • does not allow escaping existing host security mechanisms

It leaves concerns about those to other proposals such as Realms or even host APIs.


There are several ways in which these behaviors could be overriden.

  • They could only be allowed to be changed in a manner that is only virtualized to a newly allocated global scope.
  • They could be done via API virtualization at the global scope level.
  • They could be changed on a source text level to allow shared references without identity discontinuity.

The status quo is API virtualization at the global scope level, but not all behavior is virtualizable doing so; notably, direct eval, import.meta, and import.

There are ways to virtualize most other APIS


This is a rough sketch of potential APIs.

// Shared space by Realm
type FullSpecifier = string;
type ModuleNamespace = object;
// Used to create a Reusable Instance factory for Module Records
// exotic
interface StaticModuleRecord {
  // intend to add reflection of import/export bindings

  // needs to allow duplicates
  staticImports(): {specifier: string, exportNames}[];
interface SourceTextStaticModuleRecord extends StaticModuleRecord {
  // no coerce
  constructor(source: string);
type CompartmentConstructorOptions = {
  // JF has a better way for:
  //   randomHook(): number; // Use for Math.random()
  //   nowHook(): number; // Use for both and new Date(),
  // Supplied during Module instance creation instead of option
  //   hasSourceTextAvailableHook(scriptOrModule): bool; // Used for censorship
  resolveHook(name: string, referrer: FullSpecifier): FullSpecifier

  // timing
  // importHook delegates to importNowHook FIRST,
  // they share a memo cache
  // order to ensures importNow never allows async value of import
  // to be accessed prior to any attached promise
  importHook(fullSpec: FullSpecifier): Promise<StaticModuleRecord>;
  importNowHook(fullSpec: FullSpecifier): StaticModuleRecord?;

  // copy own props after return
  importMetaHook(fullSpec: FullSpecifier): object

  // e.g.: 'fr-FR' - Affects appropriate ECMA-402 APIs within Compartment
  localeHook(): string;
  // This is important to be able to override for deterministic testing and such
  localTZAHook(): string;

  // determines if the fn is acting as an "eval" function
  isDirectEvalHook(evalFunctionRef: any): boolean;

  // prep for trusted types non-string
  canCompileHook(source: any, {
    evaluator: functionRef, // can be a value from isDirectEvalHook
    isDirect?: boolean
  }): boolean; // need to allow mimicing CSP including nonces
// Exposed on global object
// new Constructor per Compartment
// CreateRealm needs to be refactored to take params
//  - intrinsics: an intrinsics record from
//       Well-Known Intrinsic Objects
interface Compartment {
    // extra bindings added to the global
    endowments?: {
      [globalPropertyName: string]: any
    // need to figure out module attributes as it progresses
    // maps child specifier to parent specifier
    moduleMap?: {[key: FullSpecifier]: FullSpecifier | ModuleNamespace},
    // including hooks like isDirectEvalHook
    options?: CompartmentConstructorOptions
  ): Compartment // an exotic compartment object

  // access this compartment's global object, getter
  globalThis: object;

  // do an eval in this compartment
  // default is strict indirect eval
    // trusted types prep means use of `any`
    src: any,
    // FUTURE:
    //   for other eval goals like Module, need to discuss import()/eval() to
    //   get other Goals vs an option
    // options?: object
  ): any;

  // Return signature differs to allow avoiding then() exports
  // Used to ensure ability to be compatible with static import
  async import(specifier: string): Promise<{namespace: ModuleNamespace}>;
  // Desired by TC53
  importNow(specifier: string): ModuleNamespace;
  // Necessary to thread a module exports namespace from this compartment into
  // the `moduleMap` Compartment constructor argument, without importing (and
  // consequently executing) the module.
  module(specifier: string): ModuleNamespace;

Design rationales

Boxed module namespace returned by compartment import

An exported value named then can be statically imported, but dynamic import confuses the module namespace for a thenable object. The resolution of the promise returned by dynamic import, in this case, is the eventual resolution of the thenable module. This is unlikely to be an intended effect.

Consider thenable.js:

export function then(resolve) {

This might be dynamically imported by a neighboring module.

import('./thenable.js').then((x) => {
  // x will be 42 in this case, not a module namespace object with a then
  // function.

This is the behavior of a dynamic import today, despite it being surprising.

In this proposal, the Compartment.import function differs from the behavior of dynamic import by returning the namespace in a box.

compartment.import('./thenable.js').then(({namespace: x}) => {
  // x will be a module namespace object with a then function.