- From: camillelamy <notifications@github.com>
- Date: Tue, 29 Jun 2021 02:46:22 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/649/870446400@github.com>
SharedArrayBuffers is a basic building block of WebAssembly that allows shared memory between WASM threads. It allows to build high-performing web applications, in particular when such applications require to do a lot of computations. Without SharedArrayBuffers, the performance of those applications would be quite degraded. At the same time, SharedArrayBuffers can be used to create high-resolution timer, which allow to exploit a Spectre vulnerability. So we have been forced to restrict their usage (based on the crossOriginIsolation mechanism). Otherwise, a malicious web page could use those to gain access to sensitive user-data from the cross-origin resources they embed. The current mechanism of SharedArrayBuffer restrictions prevent cross-origin popups from working. This means that flows that rely on it, like OAuth or payments, don't work if the page wants to use SharedArrayBuffers. It seems that users might want to have high-performance web applications that don't leak their data and also support popup-based 3d party OAuth and payment flows. This is the problem this proposal is trying to adress. WebID would solve the user need for OAuth flows. However, it does not address other kinds of flows, in particular payments. @mikewest FYI -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/649#issuecomment-870446400
Received on Tuesday, 29 June 2021 09:46:35 UTC