Closed flockonus closed 7 years ago
flockonus
commented
7 years ago almost sure the answer is NO. webworkers seem to have too much permissions, which seem always available - https://html.spec.whatwg.org/multipage/workers.html#apis-available-to-workers + https://developers.google.com/web/fundamentals/getting-started/primers/service-workers
Not comfortable loading any 3rd party webworker :/
Maybe iframes are a better deal...
flockonus
commented
7 years ago iframes do share the same "CPU thread", so they compete for a single CPU resource.
IF the iframe has the same domain as host page, then it can access parent DOM, making it insecure to run extraneous scripts. On the other hand, when on different domains then the only communication is through message passing, which is safe - https://stackoverflow.com/a/2620789/250019
It means iframe can be less risky, but also can compromise performance if long running, even to the point to make the main page completely unresponsive, with very little effort :/
Would be interesting to see if we can make an iframe load from a webworker, with the webworker simply relaying messages from main page <-> iframe
flockonus
commented
7 years ago gotta PoC this!!! https://github.com/asvd/jailed
flockonus
commented
7 years ago Jailed works like a charm, impressive
investigate if we can run external web workers without serious vulnerabilities