Fix SES lockdown on older browsers

[Gudahtt]

On older browsers that don't support globalThis, the SES lockdown throws an error. The globalthis shim has been added to all pages, to the background process, and to the contentscript. This should prevent the error on older browsers.

Manual testing steps:

• Load each page
• See whether the error globalThis is not defined is in the dev console

Four of our pages use the lockdown script, so are affected by this: home.html, notification.html, phishing.html, and popup.html. The contentscript environment and the background process are also affected.

[Gudahtt]

This depends upon #10013 Now ready for review

[Gudahtt]

I wasn't able to test this, as I don't have any older browsers installed. I can try later on my Windows machine (using old "portable" executable).

We support Chrome >= 58' and Firefox >= 56.2 (see here), so testing something close-ish to those minimums would be idea.

[metamaskbot]

Builds ready [f3c0b67]

• builds: chrome, firefox, opera
• bundle viz: background, ui, inpage, contentscript, ui-libs, bg-libs, phishing-detect
• dep viz: background
• all artifacts

Page Load Metrics (541 ± 44 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	32	67	51	10	5
		domContentLoaded	283	677	540	92	44
		load	284	678	541	92	44
		domInteractive	282	677	539	92	44

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[EtDu]

I believe simply adding if (typeof globalThis === 'undefined') self.globalThis = self before lockdown is sufficient, without using another dep.

[Gudahtt]

@EtDu That does not work. The failure occurs in lockdown.cjs, before runLockdown.js is run. The global variable lockdown will now not be defined.

Is there a reason you think we should avoid using globalthis? It's the officially maintained shim, and we already had it in our deps (indirectly). Pulling that in ensures we can leave lockdown.cjs unmodified as well.

[Gudahtt]

I have restored the original commit and rebased it.

[sentry-io]

Sentry issue: METAMASK-GP0Y

[sentry-io]

Sentry issue: METAMASK-GP0X

[metamaskbot]

Builds ready [75af7c1]

• builds: chrome, firefox, opera
• bundle viz: background, ui, inpage, contentscript, ui-libs, bg-libs, phishing-detect
• dep viz: background
• all artifacts

Page Load Metrics (546 ± 28 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	32	58	49	7	3
		domContentLoaded	331	624	545	58	28
		load	332	625	546	58	28
		domInteractive	331	624	544	58	28

[Gudahtt]

I tried testing this on Chrome v58, and ran into an issue with Object rest/spread 😞. So this still isn't compatible with our minimum documented Chrome version at least.

[Gudahtt]

It looks like Chromium v60 gets past the Object rest/spread issue, but still blows up when it gets to function* (despite the MDN article claiming that it supports generators 🤔). Chromium v62 blows up as well. I needed to update to Chromium v63 to get past the generator error. Then everything on this branch seemed to work.

Maybe we can bump the minimum Chromium version up to v63 🤔. We were already planning to bump it up to v60 at least. I'll take a look at our metrics again.

[Gudahtt]

When testing with Waterfox Classic (should be API equivalent to our minimum Firefox version), I see this error from lockdown.cjs: Error: function "toFormat" not found

It looks like it's converting any methods it finds on the Date prototype with the string "Locale" to an equivalent method without "Locale". So it's seeing toLocaleFormat, and trying to map it to toFormat, which doesn't exist. This is only a problem on older browsers because toLocaleFormat was removed in later Firefox versions.

[Gudahtt]

I've tested this in Firefox v68 (the previous Extended Support Release), and this seems to work correctly. I think we might just have to let the lockdown fail on Waterfox Classic for now. At least it doesn't seem to have any user-facing impact - it's just the lockdown that fails.