Here is the next design doc on dynamic libraries, specifically on how to handle fetching library files. It follows on from the previous doc on dynamic loading. In short, I propose to implement open() as an RPC which can be handled by untrusted code (Javascript or NaCl code) to provide a private file namespace to the web app:
http://code.google.com/p/nativeclient/wiki/AcquiringDynamicLibraries
The following page will be the top-level design doc from which I will link the others:
http://code.google.com/p/nativeclient/wiki/DynamicLinkingPlan
Feedback welcome, as before!
Mark
I was at least one of the sources of this. My criticism was less on
which particular HTML tag is used for the embed, and more on whether
the executable contained sufficient information to be run. This was
based on an example that showed the HTML author -- not the developer
of the module -- having final say on which dynamic library
implementations get loaded, and perhaps even on details of the address
space layout. Both of these seem like bad ideas to me. As an
application author, the last thing I want is for other people to
surprise me with new libraries. The stability programs caused by
Windows antivirus software are a great example of what can happen
here. Factor in malicious libraries chosen for your app on pages
controlled by people-who-aren't-you, and this starts to sound scary.
I understand the argument that the NaCl module should not get to have
final say on the library sources because it's an unacceptable level of
ambient authority -- I just disagree with it. :-) If the application
can specify libraries by path (not URL) in its headers, and the
hosting server is the only place searched, things get more reliable.
Allowing the server to host whitelists restricting what paths
nexes/libraries can be served from resolves most of my security
concerns (idea credit: bsy).
As for IFRAME vs. EMBED, they both have their strengths and
weaknesses, but the origin policy for IFRAMES seems far more
clear-cut, so that seems like a fine solution. Just remember that
there's little to *stop* a third-party from presenting your module
using EMBED, so we should have sane degradation when it happens.
--
Cliff L. Biffle
Google, Inc.
(650) 253-1473
If the application can specify libraries by path (not URL) in its headers, and thehosting server is the only place searched, things get more reliable.
Allowing the server to host whitelists restricting what paths
nexes/libraries can be served from resolves most of my security
concerns (idea credit: bsy).
I'm not proposing this as the endgame, just as a sufficiently flexible
solution for v1 with room for us to loosen it later.. Today, you
would have to compile all of CPAN in.
On Fri, Jan 15, 2010 at 12:11 PM, Mark Seaborn <msea...@chromium.org> wrote:I was at least one of the sources of this. My criticism was less on
> A criticism that I received in response to the file fetching design [1] was
> that it wouldn't work well for the use case of embedding NaCl programs
> across origins with the <embed> tag, e.g.
which particular HTML tag is used for the embed, and more on whether
the executable contained sufficient information to be run. This was
based on an example that showed the HTML author -- not the developer
of the module -- having final say on which dynamic library
implementations get loaded, and perhaps even on details of the address
space layout. Both of these seem like bad ideas to me. As an
application author, the last thing I want is for other people to
surprise me with new libraries. The stability programs caused by
Windows antivirus software are a great example of what can happen
here. Factor in malicious libraries chosen for your app on pages
controlled by people-who-aren't-you, and this starts to sound scary.
I understand the argument that the NaCl module should not get to have
final say on the library sources because it's an unacceptable level of
ambient authority -- I just disagree with it. :-)
If the application can specify libraries by path (not URL) in its headers, and the
hosting server is the only place searched, things get more reliable.
Allowing the server to host whitelists restricting what paths
nexes/libraries can be served from resolves most of my security
concerns (idea credit: bsy).
As for IFRAME vs. EMBED, they both have their strengths and
weaknesses, but the origin policy for IFRAMES seems far more
clear-cut, so that seems like a fine solution. Just remember that
there's little to *stop* a third-party from presenting your module
using EMBED, so we should have sane degradation when it happens.
while it may be possible to wrap all this complexity with a javascript
library, i don't think that's the right answer either. casual games
that have game assets, for example, will want to make it easy for
others to embed the game -- along with the game assets -- in their
pages. the requirement that dynamic libraries and files must be
loaded from the domain of the container forces embeds to be iframes,
which is too constraining. would casual game publishers have to
explicitly waive copyright for the game assets so that embedding sites
can make a copy? how could the game be updated? suppose it needs new
assets? new dynamic libraries? would all embedding sites need to be
informed of pending updates, so that they can all fix their code?
-bsy
> --
> You received this message because you are subscribed to the Google Groups
> "Native Client Discuss" group.
> To post to this group, send email to native-cli...@googlegroups.com.
> To unsubscribe from this group, send email to
> native-client-di...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/native-client-discuss?hl=en.
>
>
--
bennet s yee
i usually don't capitalize due to mild tendonitis
i think it is a mistake to make our system less usable. and requiring
web authors -- who know javascript but probably nothing about linker
scripts -- to have to dive into that level of details will make NaCl
embedding less useful.
while it may be possible to wrap all this complexity with a javascript
library, i don't think that's the right answer either. casual games
that have game assets, for example, will want to make it easy for
others to embed the game -- along with the game assets -- in their
pages. the requirement that dynamic libraries and files must be
loaded from the domain of the container forces embeds to be iframes,
which is too constraining.
would casual game publishers have to
explicitly waive copyright for the game assets so that embedding sites
can make a copy? how could the game be updated? suppose it needs new
assets? new dynamic libraries? would all embedding sites need to be
informed of pending updates, so that they can all fix their code?
i'm replying to both the notion of not allowing nacl modules to load
assets hosted at the same location as the nacl module and to the
dynamic loading memory layout proposal, which i believe you had also
mentioned via the code snippet w/ the dynamic_linker_fd code snippet,
as well as via the footnote in the first message in this thread.
>
>>
>> while it may be possible to wrap all this complexity with a javascript
>> library, i don't think that's the right answer either. casual games
>> that have game assets, for example, will want to make it easy for
>> others to embed the game -- along with the game assets -- in their
>> pages. the requirement that dynamic libraries and files must be
>> loaded from the domain of the container forces embeds to be iframes,
>> which is too constraining.
>
> Why are iframes too constraining?
can you easily coordinate actions between javascript code in a page
and those in a contained iframe with content loaded from a different
domain? can you make SRPC calls into a NaCl module embedded within an
iframe, again with content from a different domain?
>
>>
>> would casual game publishers have to
>> explicitly waive copyright for the game assets so that embedding sites
>> can make a copy? how could the game be updated? suppose it needs new
>> assets? new dynamic libraries? would all embedding sites need to be
>> informed of pending updates, so that they can all fix their code?
>
> These questions are all assuming the game is not embedded via an iframe,
> aren't they?
>
> Mark
>
>
--
On Wed, Jan 27, 2010 at 2:23 PM, Mark Seaborn <msea...@chromium.org> wrote:
> On Wed, Jan 27, 2010 at 10:04 PM, Bennet Yee (余仕斌) <b...@google.com> wrote:
>>
>> i think it is a mistake to make our system less usable. and requiring
>> web authors -- who know javascript but probably nothing about linker
>> scripts -- to have to dive into that level of details will make NaCl
>> embedding less useful.
> I'm not sure what part of my post you are responding to here.i'm replying to both the notion of not allowing nacl modules to load
assets hosted at the same location as the nacl module
and to the dynamic loading memory layout proposal, which i believe you had also
mentioned via the code snippet w/ the dynamic_linker_fd code snippet,
as well as via the footnote in the first message in this thread.
can you easily coordinate actions between javascript code in a page
>> while it may be possible to wrap all this complexity with a javascript
>> library, i don't think that's the right answer either. casual games
>> that have game assets, for example, will want to make it easy for
>> others to embed the game -- along with the game assets -- in their
>> pages. the requirement that dynamic libraries and files must be
>> loaded from the domain of the container forces embeds to be iframes,
>> which is too constraining.
>
> Why are iframes too constraining?
and those in a contained iframe with content loaded from a different
domain? can you make SRPC calls into a NaCl module embedded within an
iframe, again with content from a different domain?