Ben, thanks a lot for your answers. This is helpful information.
On Wednesday, 21 February 2018 15:44:31 UTC-5, Ben Noordhuis wrote:
>
> On Wed, Feb 21, 2018 at 9:05 PM, Chris Dumoulin > wrote:
> > In the Embedder's Guide, Contexts are described as allowing "separate,
> > unrelated, JavaScript applications to run in a single instance of V8".
> > Also, the section on Security Model says that "In V8 an 'origin' is
> defined
> > as a context." However, I'm pretty sure that Chrome uses separate
> Isolates
> > within separate processes to isolate different browser tabs.
>
> Tabs use different isolates.
>
> Iframes in the same tab use different contexts but the same isolate.
>
> Workers in the same tab use different isolates. I don't know if
> Chromium puts them in separate processes but I expect it does.
>
> > My questions are about running untrusted Javascript code, and the
> > appropriate use of Isolates and Contexts, with respect to security and
> > isolation of separate, unrelated, Javascript.
> > - What safeties are in place that prevent Javascript from breaking out
> of a
> > Context?
>
> Context::SetSecurityToken() - contexts with different tokens can't
> access each other's objects; that includes arrays and functions.
>
> > - What safeties are in place that prevent Javascript from breaking out
> of an
> > Isolate?
>
> The observation that the V8 team would panic if that was possible. :-)
>
> It would be a pretty serious security vulnerability and Google takes
> those seriously. Report one or two good ones through the bug bounty
> program and you could take the rest of the year off.
>
> > - From a security perspective, is there a benefit to using separate
> Isolates
> > within a single OS process, or would separate Contexts be just as good?
> I'm
> > aware that Isolates don't support concurrent, multithreaded access.
>
> They are functionally equivalent. The moat might be marginally deeper
> in case of security breach with isolates. If you had to pick one or
> the other, pick isolates (and process isolation.)
>
> > I expect that sandboxing separate OS processes for unrelated, untrusted
> > Javascript files/applications is the most secure solution, but I'm
> trying to
> > figure out how much better that is than multiple Contexts or Isolates
> within
> > a single process.
>
> The single process approach doesn't protect against out-of-memory
> conditions in a context or isolate. V8 doesn't handle OOMs except by
> terminating. It's not difficult for JS code to trigger an OOM: `for
> (let a = [];;) a.push(a)` will do it.
>
> Infinite loops are another issue a single process won't protect you
> against, at least not without coding your own watchdog functionality
> from scratch.
>
--
--
v8-users mailing list
v8-users@googlegroups.com
http://groups.google.com/group/v8-users
---
You received this message because you are subscribed to the Google Groups
"v8-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.