On Thu, Feb 14, 2013 at 6:27 PM, Brian Smith <bsm...@mozilla.com> wrote:
> Sandboxing affects the design and implementation of networking, iframes, > form submission, cross window communication (window.location.href, > window.history.*, window.postMessage(), etc.), navigation (e.g. clicking on > a link to navigate to another page), input fields > > The current way Google and some others do sandboxing is "process per tab," > but at the end of the day "tab" is the wrong boundary for isolation. For > example, if I am at attacker.com and then I go to mybank.com in the same > tab (perhaps by simply clicking a link), the sandbox is not as useful as > we'd like it to be, if it results in mybank.com being loaded into the > process that attacker.com booby-trapped. > > Given that networking and link navigation is so fundamental, I think it is > useful to plan ahead at least a little bit. Sandboxing cannot help enforce > same-origin policy effectively if networking is in the child (rendering) > processes, for example. In general, in a well-sandboxed browser, process > startup, teardown, and backgrounding would be designed to be very cheap and > there would be less emphasis on in-process caches of various kinds. In a > browser optimized for not having a sandbox, it would be more the opposite. > I'm well aware of all that. I thought we were going to rely on Rust's isolation mechanisms for this kind of finer-grained isolation. I thought that was a big part of the point of introducing Rust in the first place --- true "process per origin" can't really scale to large Web workloads because processes carry a lot of overhead, but language-based isolation potentially can since the overhead can be a lot lower. I thought that was a big part of the point of Servo! (Of course a big sandbox around the entire browser, or independent browsing contexts, could still be useful as a second line of defense to prevent the system from being persistently corrupted in case of a Rust exploit.) Rob -- Wrfhf pnyyrq gurz gbtrgure naq fnvq, “Lbh xabj gung gur ehyref bs gur Tragvyrf ybeq vg bire gurz, naq gurve uvtu bssvpvnyf rkrepvfr nhgubevgl bire gurz. Abg fb jvgu lbh. Vafgrnq, jubrire jnagf gb orpbzr terng nzbat lbh zhfg or lbhe freinag, naq jubrire jnagf gb or svefg zhfg or lbhe fynir — whfg nf gur Fba bs Zna qvq abg pbzr gb or freirq, ohg gb freir, naq gb tvir uvf yvsr nf n enafbz sbe znal.” [Znggurj 20:25-28] _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
