Disallow adding private fields to Location and WindowProxy

This uses the new HostEnsureCanAddPrivateElement host hook defined in the JavaScript specification to prevent using the super-override trick to add private fields to these host objects.

Fixes #7952.

Author: mgaudet

source

@@ -2899,6 +2899,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li>The <dfn data-x="js-HostCallJobCallback" data-x-href="https://tc39.es/ecma262/#sec-hostcalljobcallback">HostCallJobCallback</dfn> abstract operation</li>
      <li>The <dfn data-x="js-HostEnqueueFinalizationRegistryCleanupJob" data-x-href="https://tc39.es/ecma262/#sec-host-cleanup-finalization-registry">HostEnqueueFinalizationRegistryCleanupJob</dfn> abstract operation</li>
      <li>The <dfn data-x="js-HostEnqueuePromiseJob" data-x-href="https://tc39.es/ecma262/#sec-hostenqueuepromisejob">HostEnqueuePromiseJob</dfn> abstract operation</li>
+     <li>The <dfn data-x="js-HostEnsureCanAddPrivateElement" data-x-href="https://tc39.es/ecma262/#sec-hostensurecanaddprivateelement">HostEnsureCanAddPrivateElement</dfn> abstract operation</li>
      <li>The <dfn data-x="js-HostEnsureCanCompileStrings" data-x-href="https://tc39.es/ecma262/#sec-hostensurecancompilestrings">HostEnsureCanCompileStrings</dfn> abstract operation</li>
      <li>The <dfn data-x="js-HostImportModuleDynamically" data-x-href="https://tc39.es/proposal-dynamic-import/#sec-hostimportmoduledynamically">HostImportModuleDynamically</dfn> abstract operation</li>
      <li>The <dfn data-x="js-HostMakeJobCallback" data-x-href="https://tc39.es/ecma262/#sec-hostmakejobcallback">HostMakeJobCallback</dfn> abstract operation</li>
@@ -94762,6 +94763,28 @@ dictionary <dfn dictionary>PromiseRejectionEventInit</dfn> : <span>EventInit</sp
   operations, that vary depending on the host environment. This section defines them for user
   agent hosts.</p>
 
+  <h5 id="the-hostensurecanaddprivateelement-implementation"><dfn>HostEnsureCanAddPrivateElement</dfn>(<var>O</var>)</h5>
+
+  <p>JavaScript contains an <span>implementation-defined</span> <span
+  data-x="js-HostEnsureCanAddPrivateElement">HostEnsureCanAddPrivateElement</span>(<var>O</var>)
+  abstract operation. User agents must use the following implementation: <ref spec=JAVASCRIPT>
+
+  <ol>
+   <li><p>If <var>O</var> is a <code>WindowProxy</code> object, or <span>implements</span>
+   <code>Location</code>, then return Completion { [[Type]]: throw, [[Value]]: a new
+   <code>TypeError</code> }.</li>
+
+   <li><p>Return <span>NormalCompletion</span>(unused).</p></li>
+  </ol>
+
+  <p class="note">JavaScript private fields can be applied to arbitrary objects. Since this can
+  dramatically complicate implementation for particularly-exotic host objects, the JavaScript
+  language specification provides this hook to allow hosts to reject private fields on objects
+  meeting a host-defined criteria. In the case of HTML, <code>WindowProxy</code> and
+  <code>Location</code> have complicated semantics &mdash; particularly around navigation and
+  security &mdash; that make implementation of private field semantics challenging, so our
+  implementation simply rejects those objects.</p>
+
   <h5><dfn data-x="the-hostensurecancompilestrings-implementation">HostEnsureCanCompileStrings</dfn>(<var>realm</var>)</h5>
 
   <p>JavaScript contains an <span>implementation-defined</span> <span
@@ -128677,6 +128700,7 @@ INSERT INTERFACES HERE
   Matt Falkenhagen,
   Matt Schmidt,
   Matt Wright,
+  Matthew Gaudet, <!-- mgaudet on GitHub -->
   Matthew Gregan,
   Matthew Mastracci,
   Matthew Noorenberghe,