Currently, host agents have the privilege of using evaluate, makeBundle, storeValue, and storeBlob, all of which are safe to extend to guest agents.
Description of the Design
Move these implementations to mail.js (which is clearly supposed to be named agent.js in MMXXIV) and expose them to both guest.js and host.js. We may need to take care to ensure that the guest can only use a worker named by the guest (not NEW). The solution to that problem may simply to remove the NEW complication entirely.
Security Considerations
Make sure guests don’t implicitly get a capability to spawn an arbitrary number of workers.
Scaling Considerations
Make sure guests don’t implicitly get a capability to spawn an arbitrary number of workers.
What is the Problem Being Solved?
Currently, host agents have the privilege of using
evaluate,makeBundle,storeValue, andstoreBlob, all of which are safe to extend to guest agents.Description of the Design
Move these implementations to
mail.js(which is clearly supposed to be namedagent.jsin MMXXIV) and expose them to bothguest.jsandhost.js. We may need to take care to ensure that the guest can only use a worker named by the guest (notNEW). The solution to that problem may simply to remove theNEWcomplication entirely.Security Considerations
Make sure guests don’t implicitly get a capability to spawn an arbitrary number of workers.
Scaling Considerations
Make sure guests don’t implicitly get a capability to spawn an arbitrary number of workers.
Test Plan
Do so.
Compatibility Considerations
Break them.
Upgrade Considerations
Not yet.