I think it's clear that we need to have more discussions with Richard and
his team to work through the security constraints more and figure out the
best path forward. As a member of TC39 and a participant in the discussions
about SAB, I apologize that I didn't more proactively contact Richard (I
me
I hope I didn't suggest that people should stop discussing it; all I wanted
to do was to lay out the background for the debate and the evidence that
has been presented so far, in particular given Richard's strong assertions
about what this attack is able to do in JS, in a browser - which in truth
i
On Thu, Mar 3, 2016 at 11:39 PM, Lars Hansen wrote:
> On Fri, Mar 4, 2016 at 1:41 AM, Richard Barnes
> wrote:
>
> > Another good reason for blocking this for now is that it lets Javascript
> > circumvent the 5usec granularity of performance.now() and do things like
> > stealing private keys.
> >
On Fri, Mar 4, 2016 at 1:41 AM, Richard Barnes wrote:
> Another good reason for blocking this for now is that it lets Javascript
> circumvent the 5usec granularity of performance.now() and do things like
> stealing private keys.
>
> https://www.w3.org/TR/hr-time/#privacy-security
> http://iss.oy.
Another good reason for blocking this for now is that it lets Javascript
circumvent the 5usec granularity of performance.now() and do things like
stealing private keys.
https://www.w3.org/TR/hr-time/#privacy-security
http://iss.oy.ne.ro/SpyInTheSandbox.pdf
https://bugzilla.mozilla.org/show_bug.cgi
It's not enabled by default because the API is probably not fully baked
yet; until the spec reaches Stage 3 at TC39 we should expect things to be
fluid. I don't expect that milestone to be reached until this summer.
We've discussed enabling by default on Aurora, DevEd, and Beta once we
reach Stag
Sounds good to me too. What's blocking us from enabling by default?
Rob
--
lbir ye,ea yer.tnietoehr rdn rdsme,anea lurpr edna e hnysnenh hhe uresyf
toD
selthor stor edna siewaoeodm or v sstvr esBa kbvted,t
rdsme,aoreseoouoto
o l euetiuruewFa kbn e hnystoivateweh uresyf tulsa rehr rdm o
Yes, disabled by default on all branches, enabled by default on Nightly.
(It's also supported on ARM, so it should be possible to test it on
Android, again by flipping the pref.)
--lars
On Thu, Jan 14, 2016 at 9:14 PM, Jonas Sicking wrote:
> Hi Lars,
>
> So if I understand correctly, this will
Hi Lars,
So if I understand correctly, this will still remain disabled by
default on all branches. However it will now be possible to test out
on all branches by flipping a pref?
If so that sounds great to me.
/ Jonas
On Thu, Jan 14, 2016 at 5:16 AM, Lars Hansen wrote:
> Until now the new Shar
For additional rationale, you might be interested to read:
https://blog.mozilla.org/javascript/2015/02/26/the-path-to-parallel-javascript/
On Thu, Jan 14, 2016 at 8:11 AM, Thomas Zimmermann
wrote:
> Thanks!
>
> Am 14.01.2016 um 15:08 schrieb Lars Hansen:
>> On Thu, Jan 14, 2016 at 2:49 PM, Tho
Thanks!
Am 14.01.2016 um 15:08 schrieb Lars Hansen:
> On Thu, Jan 14, 2016 at 2:49 PM, Thomas Zimmermann
> wrote:
>
>> Hi,
>>
>> I saw the lightning talk you gave in Orlando in this topic. I was
>> wondering if you considered implementing Transactional Memory for
>> SharedArrayBuffer.
>
> I have
On Thu, Jan 14, 2016 at 2:49 PM, Thomas Zimmermann
wrote:
> Hi,
>
> I saw the lightning talk you gave in Orlando in this topic. I was
> wondering if you considered implementing Transactional Memory for
> SharedArrayBuffer.
I have not (or, not in earnest).
> JS seems like the perfect enviro
Hi,
I saw the lightning talk you gave in Orlando in this topic. I was
wondering if you considered implementing Transactional Memory for
SharedArrayBuffer. JS seems like the perfect environment for TM. Are
there reasons for 'only' providing atomic ops? Just asking out of
curiosity...
Best regards
Until now the new SharedArrayBuffer constructor and the new Atomics global
object [1] have been enabled on Nightly only. Starting with Firefox 46,
those bindings will still be enabled by default on Nightly but they will
also be available on Aurora, DevEd, Beta, and Release by flipping the value
of
14 matches
Mail list logo