Ben, thanks a lot for your answers. This is helpful information. On Wednesday, 21 February 2018 15:44:31 UTC-5, Ben Noordhuis wrote: > > On Wed, Feb 21, 2018 at 9:05 PM, Chris Dumoulin <crdu...@gmail.com > <javascript:>> wrote: > > In the Embedder's Guide, Contexts are described as allowing "separate, > > unrelated, JavaScript applications to run in a single instance of V8". > > Also, the section on Security Model says that "In V8 an 'origin' is > defined > > as a context." However, I'm pretty sure that Chrome uses separate > Isolates > > within separate processes to isolate different browser tabs. > > Tabs use different isolates. > > Iframes in the same tab use different contexts but the same isolate. > > Workers in the same tab use different isolates. I don't know if > Chromium puts them in separate processes but I expect it does. > > > My questions are about running untrusted Javascript code, and the > > appropriate use of Isolates and Contexts, with respect to security and > > isolation of separate, unrelated, Javascript. > > - What safeties are in place that prevent Javascript from breaking out > of a > > Context? > > Context::SetSecurityToken() - contexts with different tokens can't > access each other's objects; that includes arrays and functions. > > > - What safeties are in place that prevent Javascript from breaking out > of an > > Isolate? > > The observation that the V8 team would panic if that was possible. :-) > > It would be a pretty serious security vulnerability and Google takes > those seriously. Report one or two good ones through the bug bounty > program and you could take the rest of the year off. > > > - From a security perspective, is there a benefit to using separate > Isolates > > within a single OS process, or would separate Contexts be just as good? > I'm > > aware that Isolates don't support concurrent, multithreaded access. > > They are functionally equivalent. The moat might be marginally deeper > in case of security breach with isolates. If you had to pick one or > the other, pick isolates (and process isolation.) > > > I expect that sandboxing separate OS processes for unrelated, untrusted > > Javascript files/applications is the most secure solution, but I'm > trying to > > figure out how much better that is than multiple Contexts or Isolates > within > > a single process. > > The single process approach doesn't protect against out-of-memory > conditions in a context or isolate. V8 doesn't handle OOMs except by > terminating. It's not difficult for JS code to trigger an OOM: `for > (let a = [];;) a.push(a)` will do it. > > Infinite loops are another issue a single process won't protect you > against, at least not without coding your own watchdog functionality > from scratch. >
-- -- v8-users mailing list v8-users@googlegroups.com http://groups.google.com/group/v8-users --- You received this message because you are subscribed to the Google Groups "v8-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.