On Tue, May 20, 2014 at 12:24 AM, Jonas Sicking <jo...@sicking.cc> wrote:
> On Mon, May 19, 2014 at 7:14 PM, Mike Hommey <m...@glandium.org> wrote: > > On Mon, May 19, 2014 at 06:35:49PM -0700, Jonas Sicking wrote: > >> On Mon, May 19, 2014 at 4:10 PM, Rik Cabanier <caban...@gmail.com> > wrote: > >> > I don't see why the web platform is special here and we should trust > that > >> > authors can do the right thing. > >> > >> I'm fairly sure people have already pointed this out to you. But the > >> reason the web platform is different is that because we allow > >> arbitrary application logic to run on the user's device without any > >> user opt-in. > >> > >> I.e. the web is designed such that it is safe for a user to go to any > >> website without having to consider the risks of doing so. > >> > >> This is why we for example don't allow websites to have arbitrary > >> read/write access to the user's filesystem. Something that all the > >> other platforms that you have pointed out do. > >> > >> Those platforms instead rely on that users make a security decision > >> before allowing any code to run. This has both advantages (easier to > >> design APIs for those platforms) and disadvantages (malware is pretty > >> prevalent on for example Windows). > > > > As much as I agree the API is not useful, I don't buy this argument > > either. What prevents a web app to just use n workers, where n is a much > > bigger number than what would be returned by the API? > > Nothing. The attack I'm trying to prevent is fingerprinting. Allowing > workers to run a large number of workers does not allow > fingerprinting. > Eli's polyfill can already be used to do fingerprinting [1]. It's not very good at giving a consistent and accurate results which makes it less suitable to plan your workload. It also wastes a lot of CPU cycles. 1: http://wg.oftn.org/projects/core-estimator/demo/ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
