You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4.0 KiB
4.0 KiB
SharedArrayBuffer, Spectre, and Cross-Origin Isolation Concerns
1. Introduction to SharedArrayBuffer
Overview
SharedArrayBufferis a JavaScript object that enables shared memory access between the main thread and Web Workers.- Unlike
ArrayBuffer, the memory is not copied between threads—allowing true parallelism. - Paired with
Atomics, it allows low-level memory synchronization (e.g., locks, waits).
Example Use
const sab = new SharedArrayBuffer(1024);
const sharedArray = new Uint8Array(sab);
sharedArray[0] = 42;
2. Browser Security Requirements
Security Headers Required to Use SharedArrayBuffer
Modern browsers restrict access to SharedArrayBuffer due to Spectre-class vulnerabilities.
The following HTTP headers must be set to enable it:
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
HTTPS Requirement
- Must be served over HTTPS (except
localhostfor dev). - These headers enforce cross-origin isolation.
Role of CORS
- CORS alone is not sufficient.
- However, embedded resources (like scripts and iframes) must still include proper CORS headers if they are to be loaded in a cross-origin isolated context.
3. Spectre Vulnerability
What is Spectre?
- A class of side-channel attacks exploiting speculative execution in CPUs.
- Allows an attacker to read arbitrary memory from the same address space.
Affected Architectures
- Intel, AMD, ARM — essentially all modern processors.
Why It's Still a Concern
- It's a hardware flaw, not just a software bug.
- Can't be fully fixed in software without performance penalties.
- New Spectre variants (e.g., v2, RSB, BranchScope) continue to emerge.
4. Mitigations and Current Limitations
Browser Mitigations
- Restricted precision for
performance.now(). - Disabled or gated access to
SharedArrayBuffer. - Reduced or removed fine-grained timers.
OS/Hardware Mitigations
- Kernel Page Table Isolation (KPTI)
- Microcode updates
- Retpoline compiler mitigations
Developer Responsibilities
- Avoid sharing sensitive data across threads unless necessary.
- Use constant-time cryptographic functions.
- Assume timing attacks are still possible.
- Opt into cross-origin isolation only when absolutely required.
5. Practical Development Notes
Using SharedArrayBuffer Safely
- Ensure the site is cross-origin isolated:
- Serve all resources with appropriate CORS policies (
Cross-Origin-Resource-Policy,Access-Control-Allow-Origin) - Set the required COOP/COEP headers
- Serve all resources with appropriate CORS policies (
- Validate support using:
if (window.crossOriginIsolated) {
// Safe to use SharedArrayBuffer
}
Testing and Fallback
- Provide fallbacks to
ArrayBufferif isolation is not available. - Document use cases clearly (e.g., high-performance WebAssembly applications or real-time audio/video processing).
6. Summary of Concerns and Advisements
| Topic | Concern / Consideration | Advisory |
|---|---|---|
| Shared Memory | Can expose sensitive data across threads | Use only in cross-origin isolated environments |
| Spectre Vulnerabilities | Still viable, evolving with new attack vectors | Do not assume complete mitigation; minimize attack surfaces |
| Cross-Origin Isolation | Required for SharedArrayBuffer |
Must serve with COOP/COEP headers + HTTPS |
| CORS | Not sufficient alone | Must combine with full isolation policies |
| Developer Security Practices | Timing attacks and shared state remain risky | Favor safer primitives; avoid unnecessary complexity |