[medlyyy]

I will admit I don't fully understand the implications of this.

Doesn't this mean it's essentially game over for running untrusted JS by-default? Doesn't default-deny functionality like NoScript have to become mandatory in browsers for security? If not, why not?

[toomim]

It means game over for users who run browsers like Safari, which don't isolate each site to their own OS process.

If you load Javascript from one site, that JS can read the entire state of memory for another site, if it is within the same OS process. This means that any site can include some nefarious javascript that reads all the cookies and passwords for the user on other sites, and then log in as them.

[medlyyy]

Seems like Firefox doesn't have this feature yet either?

https://wiki.mozilla.org/Project_Fission

[ddworken]

Yeah, Firefox doesn't have it yet but as I understand it, they're getting very close to shipping Project Fission.

[ddworken]

This only allows reading data from the current process. Chrome and Edge have something called site-isolation where every site has its own process. In principle, this means that a site can only read its own resources. The catch here is that there are a bunch of different ways a site can include potentially sensitive resources from other sites (e.g. via referencing them with an `img` tag). So sensitive endpoints need to opt-in to additional protections that ensure they do not end up in cross-site browser processes.

But no, this isn't game over for running untrusted JS. It just means that we need to assume that JS can access anything in the same process.