Document considerations relatively to leaks via Spectre.

[ArthurSonzogni]

Website can read their's process memory via Spectre with various bandwidth depending on crossOriginIsolation, platforms and flags. See: https://leaky.page/

It would be nice documenting what are the measure taken to prevent communication in between:

• The worklet that can read the unpartitioned storage, but have no capabilities to exfiltrate the data, outside of the two controlled ones (opaque URLs, aggregated reporting API)
• The document/worker that can't read the unpartitioned storage, but has the capabilities to exfiltrate the data (network access).

[jkarlin]

Thanks for raising this Arthur. If we wanted to protect against spectre, then we'd need to at least have a dedicated process per site for the shared storage worklets. @xyaoinum for thoughts on if we'd need to isolate further.

[jkarlin]

Note that I think we would want to specify this as should isolate instead of must. It would be up to the capabilities of the browser and its current operating environment on whether or not it made sense to isolate.

[ArthurSonzogni]

Note that there is a problem similar with Fledge. However fledge is worse, because they are using cross-origin worklets. Here this is only a same-origin worklet. So the problem here is only about privacy, not security. The privacy boundary you would like to bring with SharedStorage is not fully strong. Incentives for ads network are strong, so you might figure out later after shipping, that everybody is bypassing the partitioned storage protection using this new hole.

You could argue that exploiting Spectre is significantly harder than exploiting fingerprinting techniques. So Spectre is not the lowest bar at the moment. But progress are going to be made about fingerprinting.

[ArthurSonzogni]

+CC @xchrdw FYI.

[xyaoinum]

If we want to protect against Spectre, I think we need to have a dedicated process per worklet, so that addModule cannot read prior state of that process, as addModule can leak information to the worklet's owner document through timing.

I we let addModule return immediately, then one dedicated process per site seems good enough.

[pythagoraskitty]

Closing for now. See the design doc for our design thought process.

If you would like to discuss further, please re-open or else start a new issue, thanks.