From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 7671 invoked from network); 23 Mar 2021 07:39:39 -0000 Received: from hurricane.the-brannons.com (2602:ff06:725:1:20::25) by inbox.vuxu.org with ESMTPUTF8; 23 Mar 2021 07:39:39 -0000 Received: from localhost.localdomain (localhost [127.0.0.1]) by hurricane.the-brannons.com (OpenSMTPD) with ESMTP id 98d7f1d4 for ; Tue, 23 Mar 2021 00:39:31 -0700 (PDT) Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [2a00:1450:4864:20::335]) by hurricane.the-brannons.com (OpenSMTPD) with ESMTPS id f0b5c579 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Tue, 23 Mar 2021 00:39:10 -0700 (PDT) Received: by mail-wm1-x335.google.com with SMTP id d8-20020a1c1d080000b029010f15546281so10089616wmd.4 for ; Tue, 23 Mar 2021 00:39:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=/Zj2qAZojf3k/P1iSi3sPnKjebRRnEB6GrUxtVrld9Q=; b=cNAKRXHJSs3dK03a18hRB7Zf5d6p6jp5amoBwLqzQzUpTGNTJ8VPWLmavMfpfHDfNZ G4LftIiPkCSvJ24BZmn1lY5TylD6x8/0aRCjYUl4m0n6Vbz3sAL8r17aAwOUqsZZOayA FgPrcoGelSmEr5Xu/dL0CBjv/pb9kS9XrDOTV+GihOR3gHRdsl3McwrI0XjJ7zoiohDA k8l0u1VH6+/LsWylyXYWYUF5lCpDxe53gKhGtXENA7yCgeCmDnFUk6Zw+BAX3NFr4c2W UwZ3JB6kXY+56wMEHmx/kUom9ZA/T1D0N46/29m5s/UymJbu4nev6XZF6Zog/k+N89sZ LGMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=/Zj2qAZojf3k/P1iSi3sPnKjebRRnEB6GrUxtVrld9Q=; b=bqW1KfIufi6n52J/C1W8opnrT5uto5CXqkp8aIPrcFSTpahf9C8hlbtvb9KAqko/nf ph92JLme2EJPJzcSnSSnjOghTLQdEbAbibLyjgSH0Q/27zmG5ky9vOkOCaiGEGWppqv/ U7VSmBd1ljn5qZbT7Q05T5sG5gaaLV5i4nS2vZDhe379VjkmPLZFxR91WaKXkTr/v/c4 zyh4uLHQbBIii2Gxbpnik+QjLrrr3lXxEzJxz1Rz3RBhWf/+g+44RwZDsve8PQJUUycU dzcNykP7UVVau5G6ggC90BpJ0JCYS5zaKaxUJjUyTUuLtMkWc5Z5hGIjc02Pi42GkqGG io1w== X-Gm-Message-State: AOAM532kAjjiVY362zNMem8LB5AUlDCepxaIlpgHoSeLqlGjOX6HyG8/ 4+D/if6XkljK3xrnPHHZ1kA= X-Google-Smtp-Source: ABdhPJzs3RV+7EtlMT4Zd7cvh6hCQ3/iq232tkL7OH/qr+tN3mlqzXWBAKj1/XV4odYrq2ttb1FpbQ== X-Received: by 2002:a1c:804e:: with SMTP id b75mr2022054wmd.113.1616485146801; Tue, 23 Mar 2021 00:39:06 -0700 (PDT) Received: from toaster (b.5.b.9.4.f.e.f.f.f.c.f.1.b.a.e.1.4.0.9.2.4.1.1.0.b.8.0.1.0.0.2.ip6.arpa. [2001:8b0:1142:9041:eab1:fcff:fef4:9b5b]) by smtp.gmail.com with ESMTPSA id h8sm22327293wrt.94.2021.03.23.00.39.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Mar 2021 00:39:05 -0700 (PDT) Date: Tue, 23 Mar 2021 07:39:04 +0000 From: Adam Thompson To: Karl Dahlke Cc: edbrowse-dev@edbrowse.org Subject: Re: [edbrowse-dev] sharing and security Message-ID: References: <20210221173421.eklhad@comcast.net> X-BeenThere: edbrowse-dev@edbrowse.org List-Id: Edbrowse Development List MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210221173421.eklhad@comcast.net> On Sun, Mar 21, 2021 at 05:34:21PM -0400, Karl Dahlke wrote: > This is just me thinking out loud. > > Let's say we share the Table class in the master window mw$. > I don't have to replicate it and its methods for every web page. > Saves time and memory etc. All good. Agreed, if we can do so safely. [...] > If the prototype object exists, and you can see it, you can add something to it. > Maybe you can't change what's there, but you can add to it. > So we would have to be 100% perfect, with a function or at least a stub for every method that exists, > and we would have to stay current with this as the DOM evolves, > cause if we don't, a shared class opens up a security risk. Does it also open us up to any other unintended interaction (e.g. someone getting their hands on our prototype object somehow without using our shared window object)? I simply don't know js well enough to know if there's any way to get hold of an object's prototype from the object or, in a browser context, its own window and for that to cascade to other windows if one does that. > That's how it looks to me anyways. > > Do you follow what I'm saying? > > No wonder every browser writes all its classes in C, thus shared at a level that can't be hijacked; > but of course we don't have the manpower to do that. > And if we did, we are, at that point, heavily invested in an engine; > I couldn't just switch engines in a couple weeks as I just did with quick. > > That's my discouraging thought for the day. Even if I'm concerned about nothing above, your security explanation makes perfect sense (unfortunately). I'm not sure of the best way around this other than not to share classes. This'd suck a bit from a performance perspective (and possibly others) however it'd mean we had a somewhat better isolation model from a security perspective. In the spirit of coming up with an overly positive take on this; at least we're thinking of security and getting to a point where this matters. That's a good, if work-intensive, thing. Cheers, Adam.