Comments (7)
Hi @adamdbradley @steve8708 , I started working on this feature. I made a quick and hacky POC to get it work (both SW and Atomics). I moved the service worker and the web worker to a cross-origin iframe which communicates with the main thread via postMessage and then passes all messages to web worker/service worker. Now I am trying to use a MessageChannel instead, that way we would avoid an additional message hop and performance should stay more or less the same as it is now. Atomics also work with this approach as long as both the main document and the new iframe satisfy crossOriginIsolated requirements.
I can finish it and open a PR, but I have a few questions:
- Would you take a PR for this? Do you have any specific requirements for this feature, such as make this new communication mechanism opt-in?ļ»æ
- Why does SW sandbox currently run inside an iframe? I cannot understand how it improves the isolation.
We can discuss this on Discord if that is more convenient for you, I left a message in partytown-general channel.
from partytown.
I see what you mean, in that you purposely do not want the scripts to even run on the same domain to specifically not allow access to indexedDB? You're right, in that right now between the sandbox iframe and the main window there isn't a postMessage, so doing so would add one more communication hop.
I think before we dig too far into that I'd be curious to investigate Atomics further. Right now I don't know enough what the implementation will look like, and don't want to go too far down this path just to find out we scrap it later. I'll leave this issue open and will revisit, but would love to keep discussing ideas here. Thanks
from partytown.
Put some more thought into this and certainly makes a lot of sense, especially if we want to sandbox and isolate even further. So step one, like you said, would be to the iframe sandbox to only communicate via postMessage.
Next I think the iframe hosted under a different origin, which might be harder for a default setup. So maybe the default continues to work under /~partytown/
, but if it was moved to a different subdomain, it'd still just work, but more of an opt-in to ensure it's fully sandboxed. Thoughts?
from partytown.
Wonder if using sandboxed iframes would accomplish the same goals without having to have another domain to host the iframe on. May be able to easily create a sandboxed iframe inline using srcdoc
from partytown.
Ah tho I see why we would need Atomics to use inline sandboxes iframes as Iām not sure how it would work with the service worker approach. Ignore me š
from partytown.
Thanks for the interest in this suggestion, @adamdbradley!
Next I think the iframe hosted under a different origin, which might be harder for a default setup. So maybe the default continues to work under /~partytown/, but if it was moved to a different subdomain, it'd still just work,
I like this idea. It would simplify the documentation and make it easy for folks to opt into stronger isolation.
It's a bummer to impose the overhead of an additional postMessage
hop for users that don't care about stronger isolation, though, so I hope we can make the iframe wrapper optional.
from partytown.
@steve8708, I agree that Atomics plus a sandbox iframe without the allow-same-origin
permission would be simpler and faster. Unfortunately, it doesn't look like it's possible to use a service worker with such an iframe: w3c/ServiceWorker#1390.
One consequence of this situation to note is that the service worker implementation provides an opportunity for stronger isolation, as the SW controls network requests from the web worker. For that reason, I hope we can support the Atomics implementation with the cross-origin iframe setup as well.
from partytown.
Related Issues (20)
- [š] Partytown doesn't work with Chatwoot HOT 2
- [š] Google Analytics Events aren't fired HOT 8
- [š] Some URLs aren't sent via the URL resolver (Google Analytics) HOT 1
- [š] Loading the HubSpot scriptloader is busted if the portal uses the conversations / chat widget features HOT 2
- [āØ] Magento 2 integration HOT 8
- [š] CORS error while integrating google adsense HOT 2
- [š] SAST scanner triggers CWE-95 vuln finding in partytown-ww-atomics.js
- [š] Google Publisher Tag does not work
- [š] Google Publisher Tag does not work
- [š] variables conflict with Splide JS carousel HOT 7
- [š] 404 in Search Console reported for /~partytown/partytown-sandbox-sw.html?{timestamp} HOT 7
- [š] Discord server link is broken HOT 1
- [š] resolveUrl function in partytown config does not work HOT 1
- [š] Error 404 for '/_next/static/%7Epartytown/proxytown' and some iOS/Safari versions HOT 4
- [š] Web Worker Does Not Allow `withCredentials` for XHR Requests
- [š] Google Tag Assistant Preview is not showing tags (Google Tag Manager) while using Partytown HOT 1
- [š] How can I load partytown from a pure HTML/JS website? HOT 1
- [š]partytown throws error in chrome developer console and not able to connect to GTM preview mode HOT 12
- [š]404 errror throws while implementing partytown in gatsby application HOT 3
- Failed to register a ServiceWorker for scope ('https://example/~partytown/') with script ('https://example.com/~partytown/partytown-sw.js'): The script resource is behind a redirect, which is disallowed.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from partytown.