fix(runtime): use more null proto objects (#23921)

This is a primordialization effort to improve resistance against users
tampering with the global `Object` prototype.

---------

Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>

5 files changed, 7 insertions, 7 deletions

diff --git a/ext/fetch/20_headers.js b/ext/fetch/20_headers.js
index 3ee9d9184..1690d9f7d 100644
--- a/ext/fetch/20_headers.js
+++ b/ext/fetch/20_headers.js
@@ -100,7 +100,7 @@ function checkForInvalidValueChars(value) {
   return true;
 }
 
-let HEADER_NAME_CACHE = {};
+let HEADER_NAME_CACHE = { __proto__: null };
 let HEADER_CACHE_SIZE = 0;
 const HEADER_NAME_CACHE_SIZE_BOUNDARY = 4096;
 function checkHeaderNameForHttpTokenCodePoint(name) {
@@ -112,7 +112,7 @@ function checkHeaderNameForHttpTokenCodePoint(name) {
   const valid = RegExpPrototypeTest(HTTP_TOKEN_CODE_POINT_RE, name);
 
   if (HEADER_CACHE_SIZE > HEADER_NAME_CACHE_SIZE_BOUNDARY) {
-    HEADER_NAME_CACHE = {};
+    HEADER_NAME_CACHE = { __proto__: null };
     HEADER_CACHE_SIZE = 0;
   }
   HEADER_CACHE_SIZE++;
@@ -241,7 +241,7 @@ class Headers {
 
     // The order of steps are not similar to the ones suggested by the
     // spec but produce the same result.
-    const seenHeaders = {};
+    const seenHeaders = { __proto__: null };
     const entries = [];
     for (let i = 0; i < list.length; ++i) {
       const entry = list[i];
diff --git a/ext/fetch/23_request.js b/ext/fetch/23_request.js
index 873d05a2b..adebe13b3 100644
--- a/ext/fetch/23_request.js
+++ b/ext/fetch/23_request.js
@@ -300,7 +300,7 @@ class Request {
    * @param {RequestInfo} input
    * @param {RequestInit} init
    */
-  constructor(input, init = {}) {
+  constructor(input, init = { __proto__: null }) {
     if (input === _brand) {
       this[_brand] = _brand;
       return;
diff --git a/ext/fetch/23_response.js b/ext/fetch/23_response.js
index a3805a97d..94fc69a98 100644
--- a/ext/fetch/23_response.js
+++ b/ext/fetch/23_response.js
@@ -282,7 +282,7 @@ class Response {
    * @param {ResponseInit} init
    * @returns {Response}
    */
-  static json(data = undefined, init = {}) {
+  static json(data = undefined, init = { __proto__: null }) {
     const prefix = "Failed to execute 'Response.json'";
     data = webidl.converters.any(data);
     init = webidl.converters["ResponseInit_fast"](init, prefix, "Argument 2");
diff --git a/ext/fetch/26_fetch.js b/ext/fetch/26_fetch.js
index 458155a28..674d99709 100644
--- a/ext/fetch/26_fetch.js
+++ b/ext/fetch/26_fetch.js
@@ -305,7 +305,7 @@ function httpRedirectFetch(request, response, terminator) {
  * @param {RequestInfo} input
  * @param {RequestInit} init
  */
-function fetch(input, init = {}) {
+function fetch(input, init = { __proto__: null }) {
   // There is an async dispatch later that causes a stack trace disconnect.
   // We reconnect it by assigning the result of that dispatch to `opPromise`,
   // awaiting `opPromise` in an inner function also named `fetch()` and
diff --git a/ext/fetch/27_eventsource.js b/ext/fetch/27_eventsource.js
index 1ab9d8009..685eb47c2 100644
--- a/ext/fetch/27_eventsource.js
+++ b/ext/fetch/27_eventsource.js
@@ -144,7 +144,7 @@ class EventSource extends EventTarget {
     return this.#withCredentials;
   }
 
-  constructor(url, eventSourceInitDict = {}) {
+  constructor(url, eventSourceInitDict = { __proto__: null }) {
     super();
     this[webidl.brand] = webidl.brand;
     const prefix = "Failed to construct 'EventSource'";