Is it too late to remove SharedArrayBuffer from the spec?

[Storyyeller]

As major browser vendors have recently disabled SharedArrayBuffer as a security mitigation, is it too late to remove SharedArrayBuffer from the spec? It would be confusing to have yet another feature like proper tail calls in the spec that nobody actually implements.

[jfbastien]

It would be confusing to have yet another feature like proper tail calls in the spec that nobody actually implements.

JavaScriptCore implements tail call 😁

At least looking at Mozilla's messaging, the intent seems to be to re-enable SAB in the future:

In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers. This project requires time to understand, implement and test, but might allow us to consider reenabling SharedArrayBuffer and the other high-resolution timers as these features provide important capabilities to the Web platform.

It seems premature to remove SAB from the spec given this intent.

[littledan]

I'd suggest we add a NOTE in the specification pointing to the issue, and saying something to the effect of, "it's understandable if implementations can't ship this due to security issues". Maybe violating spec conformance temporarily will be a little push towards getting implementers to implement and deploy these mitigations.

[mathiasbynens]

tc39/security#3

[ljharb]

Closing in favor of #1435.