On Sun, Oct 13, 2013 at 5:32 AM, Anne van Kesteren <ann...@annevk.nl> wrote:
> We have to start thinking about it though. That's the direction we're > heading. Have everything be pluggable and implementable from untrusted > content. Maybe an isolated worker that can do image processing and > communicate a bitmap that might be tainted? > This is really tricky if you want the decoder to be able to handle non-same-origin images. The problem is that although we can isolate the worker at the API level, it's going to be almost impossible to prevent it from leaking information back to its origin via timing channels. If we restrict the decoder to only handling images with the same origin as the decoder (or public via CORS), things are much better. I'd still want a good level of isolation to prevent untrusted code from being easily able to observe (and come to depend on) when/how often image decoding happens. Rob -- Jtehsauts tshaei dS,o n" Wohfy Mdaon yhoaus eanuttehrotraiitny eovni le atrhtohu gthot sf oirng iyvoeu rs ihnesa.r"t sS?o Whhei csha iids teoa stiheer :p atroa lsyazye,d 'mYaonu,r "sGients uapr,e tfaokreg iyvoeunr, 'm aotr atnod sgaoy ,h o'mGee.t" uTph eann dt hwea lmka'n? gBoutt uIp waanndt wyeonut thoo mken.o w * * _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform