/ecma262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is it too late to remove SharedArrayBuffer from the spec? #1060

Open
Storyyeller opened this Issue Jan 6, 2018 · 3 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@Storyyeller @jfbastien @littledan @mathiasbynens
@Storyyeller

Storyyeller commented Jan 6, 2018
edited

As major browser vendors have recently disabled SharedArrayBuffer as a security mitigation, is it too late to remove SharedArrayBuffer from the spec? It would be confusing to have yet another feature like proper tail calls in the spec that nobody actually implements.
@jfbastien

This comment has been minimized.

Show comment
Hide comment
@jfbastien

jfbastien Jan 6, 2018

It would be confusing to have yet another feature like proper tail calls in the spec that nobody actually implements.

JavaScriptCore implements tail call 😁

At least looking at Mozilla's messaging, the intent seems to be to re-enable SAB in the future:

In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers. This project requires time to understand, implement and test, but might allow us to consider reenabling SharedArrayBuffer and the other high-resolution timers as these features provide important capabilities to the Web platform.

It seems premature to remove SAB from the spec given this intent.

jfbastien commented Jan 6, 2018

It would be confusing to have yet another feature like proper tail calls in the spec that nobody actually implements.

JavaScriptCore implements tail call 😁

At least looking at Mozilla's messaging, the intent seems to be to re-enable SAB in the future:

In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers. This project requires time to understand, implement and test, but might allow us to consider reenabling SharedArrayBuffer and the other high-resolution timers as these features provide important capabilities to the Web platform.

It seems premature to remove SAB from the spec given this intent.
@littledan

This comment has been minimized.

Show comment
Hide comment
@littledan

littledan Jan 6, 2018

Member

I'd suggest we add a NOTE in the specification pointing to the issue, and saying something to the effect of, "it's understandable if implementations can't ship this due to security issues". Maybe violating spec conformance temporarily will be a little push towards getting implementers to implement and deploy these mitigations.
Member

littledan commented Jan 6, 2018

I'd suggest we add a NOTE in the specification pointing to the issue, and saying something to the effect of, "it's understandable if implementations can't ship this due to security issues". Maybe violating spec conformance temporarily will be a little push towards getting implementers to implement and deploy these mitigations.

@mathiasbynens mathiasbynens referenced this issue Jan 6, 2018

Open

SharedArrayBuffer and timing attacks (Meltdown and Spectre) #3

@mathiasbynens

This comment has been minimized.

Show comment
Hide comment
@mathiasbynens

mathiasbynens Jan 6, 2018

Member

tc39/security#3
Member

mathiasbynens commented Jan 6, 2018

tc39/security#3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment