Implement contextual identity?

[asajeffrey]

Firefox is getting contextual identity: https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers Implementing something like this in Servo should be straightforward, once we've got private browsing in place.

[jdm]

The difficulty with the "one channel per context" scheme that #11544 is implementing is that we can't select over a dynamic set of channels.

[asajeffrey]

Isn't the idea that each producer/consumer only uses one of the channels? (e.g. a Work pipeline only uses the Work channel, which talks to the Work cookie store.)

[jdm]

Sure; that system works as long as there is a static set of contexts defined, rather than a dynamic set.

[asajeffrey]

Hmm, isn't the point of the capability-based version of private browsing that a script thread at security level L only needs access to one channel, whose other end is the resource thread at security level L? There shouldn't be any threads which need both the high-security and low-security channels. Presumably, I am missing something!

[asajeffrey]

cc @avadacatavra

[jdm]

@asajeffrey In the current model, context is determined by channel and there's a single thread that selects over the different channels and responds appropriately. An alternate model is that we have a separate thread per context (which would enable dynamic numbers of different contexts), but that seems like an inefficient use of resources to me.

[asajeffrey]

@jdm: we would be using one thread per context, but I think this a reasonable penalty since a) there's not very many of them (I think the default is something like 6) and b) it's going to be a lot easier to security audit. For example, we could make the private browsing cookie jar in-memory, and then audit the code for "doesn't touch the file system".

[notriddle]

I thought you could select over a dynamic set of channels. You have to rebuild the select structure if you want to change it, and the underlying API isn't safe, but it can be done.