Firefox3.1/Web Workers Security Review: Difference between revisions

Revision as of 16:47, 24 September 2008

Web workers allow content javascript to take advantage of multicore CPUs and offload expensive processing tasks to background threads.

Current working spec: whatwg

Major tracking bug: bug 450448

Workers execute in a tightly controlled sandbox.
- No access to Components or other global JS components.
- Only basic JS (Math, Date, etc.), timeouts, XHR, and importScripts.
No pref dependencies yet, maybe will provide one to customize the number of OS threads allowed.
Script loading is subject to the same restrictions as on the main thread (content policies, same origin restrictions, etc.).
XHR uses the same code as the main thread so no new attack vectors should be created.

Users control the execution of background workers by navigating away from or back to the hosting page.

Users cannot currently modify the behavior of workers except by normal mechanisms to modify JS execution, content policies, etc.
No build configuration options.
Need to tune the number of OS threads allowed per app instance.
No hidden maintenance requirements.

Gears - they're very involved with the spec work so hopefully gears API will converge.

@@ Line 13: / Line 13: @@
 ** Only basic JS (Math, Date, etc.), timeouts, XHR, and importScripts.
 * No pref dependencies yet, maybe will provide one to customize the number of OS threads allowed.
-* Script loading and XHR use the same code as the main thread (content policies, same origin restrictions, etc.) so no new attack vectors should be created.
+* Script loading is subject to the same restrictions as on the main thread (content policies, same origin restrictions, etc.).
+* XHR uses the same code as the main thread so no new attack vectors should be created.
 == Exported APIs ==