How to ensure that your script runs first in a webpage

John J Barton johnjbarton at johnjbarton.com
Fri Feb 3 14:26:42 PST 2012


On Fri, Feb 3, 2012 at 1:08 PM, David Bruant <bruant.d at gmail.com> wrote:
> Le 03/02/2012 17:54, John J Barton a écrit :

>> iframes seem to be effective for the cases David outlined.
> I can come up with more use cases ;-) Regardless of use cases iframes
> will always have an overhead against just loading some code with
> attenuated authority.

To support the attenuation of authority you have to create a container
(authority boundary) and you have to attenuate the API you give the
loaded code.  These activities are not free.

For the container, the important question (which I do not know the
answer to): can the container be isolated from the rest of the Web app
running in the window?  Is there any impact on the rest of the
application from the choice to allow untrusted code to be loaded into
it?

To ask the same question in a more personal way: I've read code with
PropertyDescriptor/freeze() etc. Will I have to write that kind of
code?

>
> For instance, if we want to create a game where participants submit some
> code to compete with each other. When loading the participants code,
> iframes can have a performance issue and asynchronous communication as
> done in the browser (with HTML5 cloning algorithm as the "richest form
> of sharing") may be very limitating.

Both technologies require the attenuated API. Since this API is the
security hole, it will require a great deal of attention. I think in
practical cases this effort will dwarf other issues.

> However, being able to load the
> code in the same frame ("vat" as said in the concurrency strawman) would
> certainly yield better performance.

I thought this way as well only a few months ago. But the Chrome
multi-process architecture convinced me to reconsider. Integration
calls, the kind of API a security barrier can support, are just not
performance sensitive by design. And JSON messaging performs very
well.

> The only remaining threat would be DoS (both in memory and CPU time), an
> alternative allowing performance, rich interaction and preventing by
> design DoS is what is presented on the concurrency strawman. But we're
> not there and iframes are far from providing the same level of control.

Will the security solution prevent the untrusted code from
manipulating the DOM tree outside of a specific element?

(I appreciate your answers even if my questions sound pointed)

jjb

>
> David


More information about the es-discuss mailing list