惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
Lohrmann on Cybersecurity
Martin Fowler
Martin Fowler
Engineering at Meta
Engineering at Meta
腾讯CDC
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Microsoft Azure Blog
Microsoft Azure Blog
G
Google Developers Blog
TaoSecurity Blog
TaoSecurity Blog
博客园_首页
Vercel News
Vercel News
Hugging Face - Blog
Hugging Face - Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Last Week in AI
Last Week in AI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
The Exploit Database - CXSecurity.com
量子位
Project Zero
Project Zero
A
Arctic Wolf
小众软件
小众软件
NISL@THU
NISL@THU
C
CERT Recently Published Vulnerability Notes
有赞技术团队
有赞技术团队
MongoDB | Blog
MongoDB | Blog
博客园 - 聂微东
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
N
News and Events Feed by Topic
宝玉的分享
宝玉的分享
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
T
Troy Hunt's Blog
P
Privacy & Cybersecurity Law Blog
Security Latest
Security Latest
B
Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
D
DataBreaches.Net
Schneier on Security
Schneier on Security
The Hacker News
The Hacker News
K
Kaspersky official blog
C
Check Point Blog
Hacker News: Ask HN
Hacker News: Ask HN
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Webroot Blog
Webroot Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
人人都是产品经理
人人都是产品经理
AI
AI
Cisco Talos Blog
Cisco Talos Blog
MyScale Blog
MyScale Blog
Cloudbric
Cloudbric
B
Blog RSS Feed
S
Schneier on Security
P
Palo Alto Networks Blog

StackBlitz Blog

Cloudflare is now backing pkg.pr.new’s data infrastructure! Bolt 100K Open Source Fund ViteConf 2024 was a blast Unbundling the JavaScript ecosystem StackBlitz is joining the Open Source Pledge Announcing TutorialKit: Interactive tutorials in the browser Get ready for ViteConf 2024 Announcing pkg.pr.new StackBlitz welcomes Ari Perkkiö, core team member of Vitest Catch us at Figma Config WebContainers and the future of web dev (interview with Jòan Varvenne) Open Source at StackBlitz Avoiding CORS issues with this one simple trick How to document design system components What is Vite (and why is it so popular)? Improving the developer experience of enterprise design systems Flow state: Why fragmented thinking is worse than any interruption What is Storybook? An Overview for Developers The Self-Rendering Eval Shirt Starters Upgrade: WebContainers and Vite Putting the Dev in Figma’s Dev Mode Announcing StackBlitz Self-hosted Building Together in Illinois 5 lessons design systems teams can learn from open-source maintainers Announcing Native Language Support in WebContainers Introducing StackBlitz Teams ViteConf is back! Bringing Sharp to WebAssembly and WebContainers npm, yarn and pnpm are now supported natively in WebContainers The Atomic Waltz: Unraveling WebAssembly Issues in V8 and SpiderMonkey WebContainers now run on Safari, iOS, and iPadOS Now I am become the Destroyer of Threads WebContainer API is here. StackBlitz September 2022 Update StackBlitz August 2022 Update StackBlitz July 2022 Update Introducing: Collections and Social Previews! Down the caching-hole: adventures in Announcing ViteConf StackBlitz June 2022 Update The Fox and the Bolt: Bringing WebContainers to Firefox WebContainers are now supported in Firefox on desktop and Android StackBlitz May 2022 Update StackBlitz April 2022 Update Cloudflare and StackBlitz partner to bring Cloudflare Workers to your browser Powering over 2M developers a month, StackBlitz has raised $7.9M StackBlitz March 2022 Update Announcement: WebContainers are out of beta in Chromium StackBlitz has joined the Bytecode Alliance StackBlitz February 2022 Update Cross-Browser support with Cross-Origin isolation StackBlitz welcomes Patak, core maintainer of Vite Chasing Memory Bugs through V8 and WebAssembly Remix v1 has landed, and it runs on WebContainers SvelteKit is now fully supported in WebContainers We Shopify partners with StackBlitz to bring Hydrogen development in-browser StackBlitz September 2021 Update Introducing Vite.new Templates! Announcing WebContainers Astro support! 🛰 Introducing: SQLite3 support in WebContainers! 🧪 StackBlitz July 2021 Update StackBlitz June 2021 Update Introducing WebContainers: Run Node.js natively in your browser Interactive Docs: The new norm for Remote Work
Bringing WebContainers to all Browsers: a call to action for COEP Credentialless
Alexander Berger Leading various go-to-market teams at StackBlit · 2022-03-08 · via StackBlitz Blog

Question: Why don’t StackBlitz WebContainers work in Safari, Firefox or on-prem with StackBlitz Enterprise?

While it may seem like a simple question, a full answer requires a bit of a journey through web browser architecture, white hat hackers, and the Internet forums where browser core team devs figure out how to keep us all safe on the increasingly dangerous worldwide network we all plug into every day. You can strap in for the ride or just read the TLDR and go back to browsing Twitter.

The TL;DR: WebContainers require cutting-edge browser functionality called Shared Array Buffers that require COEP Credentialless to function properly. We need this functionality to ship to non-Chromium browsers before we can support Firefox, Safari and on-prem enterprise WebContainers. We expect COEP Credentialless to become widely adopted in Q2 2022 which should allow us to ship multi-browser and on-prem support in Q3 2022.

Key Definitions

Before we dive into the story, let’s define a few of the key technologies:

  • WebContainers: the proprietary Node.js runtime that we launched in May 2021. The WebAssembly based kernel allows us to run Node (and other stuff) directly in the browser.
  • Array Buffers: act like raw memory in the browser, emulating the kind of direct memory access you would have in a desktop language like C. More precisely, Array Buffers store a raw sequence of bytes, representing binary data.
  • Shared Array Buffers (SABs): are Array Buffers that can be accessed by multiple threads concurrently which is critical for highly performant WebAssembly-based applications like StackBlitz WebContainers.
  • Cross-origin resources: any resource served from an origin (domain, scheme, or port) other than the primary origin of the current browser tab. For example, loading an embedded 3rd party website via an iframe.
  • Cross-origin isolation: a browser setting that limits what cross-origin resources a web application can access inside the browser to only those that explicitly opt-in to being accessed.
  • Cross-Origin Embedder Policy (COEP) Credentialless: a cutting-edge approach that allows web applications to securely utilize SharedArrayBuffers in a seamless way, without manual opt-in for each individual resource, as required with the current implementation of Cross-origin isolation.

At the core of the WebContainers design goals is creating a highly performant and secure code execution environment within the browser’s security sandbox. In order to do that we are building on top of WebAssembly and using SharedArrayBuffers to allow multi-threading and supercharge performance. This is not unique to StackBlitz WebContainers, as other advanced web applications like Google Earth and Zoom also rely on SABs. Support for this tech initially shipped in 2017 and everything was fine, until…

Meltdown & Spectre

On Wednesday January 3rd, 2018 the Google Zero team published a post detailing some serious vulnerabilities discovered in the SharedArrayBuffers implementation. A globally distributed group of security researchers (including folks from the Graz University of Technology in Austria, Georgia Tech in the US, the University of Adelaide in Australia, as well as a few independent researchers) had discovered an attack that could allow malicious web applications to read private user data across browser tabs.

In the words of the Google Chrome team, “This was a problem for us browser vendors, as we want to allow sites to execute code in the form of JavaScript and WASM, but strictly control the memory this code can access. If you arrive on my website, I shouldn’t be able to read anything from the Internet banking site you also have open. In fact, I shouldn’t even know you have your Internet banking site open. These are fundamentals of web security.”

If you want to dive even deeper into the technical details of these vulnerabilities Dr. Daniel Gruss and Jann Horn, two of the researchers involved in uncovering and documenting Meltdown & Spectre, gave an excellent talk on these vulnerabilities that you can watch on YouTube.

Browser Vendors Respond

To mitigate the risk of these newly discovered vulnerabilities in SharedArrayBuffers, browser vendors implemented a requirement that web applications that wished to continue using SABs must opt-into cross-origin isolation. This eliminated the newly discovered risk of cross-origin data leakage; however, this was a breaking change for many advanced web applications, including StackBlitz WebContainers (see Google’s comments on this issue in the orange caution message).

To avoid unnecessary disruption, the Chrome team created an origin trial that allows application developers to opt out of this restriction on a domain level and continue using SharedArrayBuffers without cross-origin isolation. StackBlitz applied for and implemented this temporary workaround for our .com application. This is why WebContainers are currently operational for .com users in Chrome, but not yet fully operational in other browsers (for which an origin trial does not exist) or on other domains (for example, on-prem at domains like stackblitz.yourcompanyname.com) that are not covered by the StackBlitz.com origin trial*.*

The Long Term Solution

So finally this brings us to Cross-Origin Embedder Policy (COEP) Credentialless: the long-term solution to using SharedArrayBuffers in modern web applications. COEP Credentialless allows web applications to securely load cross-origin resources without an explicit opt-in required for each individual resource. This is accomplished by automatically removing any embedded credentials (cookies, client certs, etc.) from cross-origin requests, mitigating the risk of secure data leakage.

This will undo the breaking changes introduced by the Cross-origin isolation requirement (and the need for the Chrome origin trial), enable us to begin testing WebContainer support in non-chromium browsers that adopt the new COEP Credentialless standard, and ultimately pave the path for WebContainers to be hosted on-prem for our enterprise customers.

Though credentialless mode just landed in Chrome 96, it’s not supported by any other browsers yet. For this reason many developers, including our team, is waiting to deploy COEP until other browser vendors adopt this critically important feature. We are working with the Firefox team to implement the needed changes as soon as possible. While Safari has enabled WebAssembly threads, they have unfortunately not yet indicated an intention to ship Credentialless.

StackBlitz Action Plan

We are planning to switch our StackBlitz.com application from the Chrome origin trial over to the new Credentialless approach in Q2 2022 as browser support for COEP Credentialless rolls out beyond Chrome. As with all new StackBlitz feature releases, we will validate the new implementation on StackBlitz.com for a quarter or so before pushing to Enterprise Edition after we are fully confident in the stability and security of the approach. Of course, as with all new technology, this timeline is dependent on how many issues our internal team and the browser vendors run into as we move forward with the implementation and testing.

If you would like to learn more about the challenges of this rollout from an engineering perspective I recommend the excellent blog post by Sam Verschueren titled Cross-Browser support with Cross-Origin isolation.

Thanks for your patience and continued support for web standards that help us all advance the power of the web!