Make RTCDataChannels Transferable #317
Conversation
|
Transferable implies more than just being portable to Workers. It means that you can also send the data channel to another window. |
| <h3>RTCDataChannel and Workers</h3> | ||
| <p>An <code><a>RTCDataChannel</a></code> object MUST be | ||
| <code><a href="https://html.spec.whatwg.org/multipage/infrastructure.html#transferable-objects"> | ||
| Transferable</a></code> to <code>Workers</code> [[!WEBWORKERS]]. When it's |
There was a problem hiding this comment.
Doesn't this require changes to WebIDL? (at least modifying the [Exposed] tag)
There was a problem hiding this comment.
[Exposed] doesn't need to change here. We can expose RTCDataChannel in workers with no effort.
If the intent is to limit this to a worker (of what sort?!?), then we either have a mistake on the part of @jesup or maybe a misunderstanding about what transferable means.
My understanding is that a transferable object can be passed through postMessage to other origins as well as workers. We should simply identify that RTCDataChannel as [Transferable] and note the consequences of that.
There was a problem hiding this comment.
The specification is confusing on this point:
http://www.w3.org/TR/html51/infrastructure.html#transferable-objects
"Some objects support being copied and closed in one operation. This is called transferring the object, and is used in particular to transfer ownership of unsharable or expensive resources across worker boundaries."
@annevk can you weigh in here?
|
Göran Eriksson made a good point on the list. We need to ensure that the |
|
EKR is going to do security review |
|
@ekr could you review this one (as we decided in Sapporo)? |
|
@ekr has been pinged, but no response. |
|
@jesup we're not getting any response on our review request. Can you prod? |
|
@alvestrand not sure why you think having @jesup ping me is going to make me do this any faster. Anyway, I've reviewed this and modulo the issue about cross-origin transfers, seems roughly sound. One thing that I would observe is that there has been a bunch of discussion at various times about the interaction of DataChannels with SOP and in particular that DataChannels provide a mechanism for directly moving data from origin A to origin B in a way that is immune to SOP as well as to mixed-content warnings (what I mean here is that while you can't XHR from https:// origins to http:// origins, you can perfectly well DataChannel between them if the server allows both HTTP and HTTPS). If it's indeed possible to move one end of a DataChannel between origins using this technique, then that makes this sort of thing something that can happen solely in the browser: create a DataChannel in an http: origin and then post-message to a https: origin. This is something we try to stop when it's done through XHR. With that said, you could just as easily have the http origin proxy the JSEP for the https origin and achieve this effect, so it's not clear that this is making things worse. |
|
I talked separately with @annevk and he says that you can indeed transfer Transferrable things across origins. As @martinthomson suggests, we should make this point clear in the text. It might also be worthwhile making clear the point I suggested above. |
|
The change here does not seem to carefully define what transfering actually does and what happens to the original object and any future operations applied to the original object. whatwg/html#444 is a bit more realistic changeset of turning an object into a transferable object. |
|
Closing since #445 is a newer version for this functionality. |
|
@martinthomson looking back at your Sept 28 comment: how to specify that a data channel can't be transferred to a Service Worker? How is that done for WebSocket? |
|
The |
|
None in particular. |
|
I guess the "structured clone" algorithm needs to be refactored to take into account input and output Realm. Then there needs to be some kind of lookup to see whether the object from the input Realm can be created in the output Realm (using the Exposed IDL stuff), and then that needs to be able to fail (presumably through a |
|
Transferring a DataChannel to a ServiceWorker may not be very useful (due to lack of global state), but is it something that needs to specifically dis-allowed? That said, if it's not useful, perhaps it makes sense to disallow it. Open to whatever wording makes sense. (What does make sense to be 'transferable' to a ServiceWorker?) |
|
DataChannel would be very useful in ServiceWorker. Here are two use cases that this opens up:
|
|
Agree with @feross . The use case of hybrid P2P-HTTP CDNs in particular has the potential to offload a significant amount of bandwidth from the server. Having a transparent, drop-in service with all the bells and whistles that Service Worker can provide is a big help for pushing this forward. |
|
👍 I think this use case will allow a lot of valuable unforeseen possibilities. |
|
@feross While I'd love to make them usable from ServiceWorkers, there are practical and security/etc issues that make this hard, I believe (if anyone knows I'm wrong on these statements below, please correct me - I'm not an expert on Service Workers). The biggest issue is that what you want is PeerConnections in ServiceWorkers, not really making DataChannels transferable to ServiceWorkers. Without PeerConnections in the ServiceWorker, the connection must die when the PeerConnection's page goes out of scope. Transferring a PeerConnection to a ServiceWorker adds a lot of real problematic issues to resolve, both technically and from a user-control/privacy/security/etc perspective. That would be a separate discussion (for next-gen). So there's no advantage to just transferring a DataChannel to a ServiceWorker (instead of Worker). This is why I indicated it was "not useful", but I don't see any direct harm from it. (Martin?) DataChannels in Workers - those are what this PR is about, and those are absolutely useful. |
|
This Q&A is useful: http://stackoverflow.com/questions/29741922/prevent-service-worker-from-automatically-stopping Creating a Websocket (and by extension RTCPeerConnection) in a ServiceWorker is not useful because its lifecycle is tied to the fetch event. It will die usually immediately afterwards, before you can do anything useful with the socket. |
|
@adria2 has the right answer here. WebSocket and DataChannel both have a usage model that is incompatible with the idea that a ServiceWorker runs for a limited time. Both represent a way to keep the SW alive permanently, undermining the basic principle that states that a SW is only activated in response to certain types of events. Running these things in a SW also makes user accountability very difficult, if not impossible. |
|
+1 for @feross. All excellent points. |
|
+1 for @feross request, ViralJS poc would be better with this https://github.com/PixelsCommander/ViralJS |
|
It looks to me like there are some things to be done here:
Ideally this should be combined into one PR. Anyone willing to take on this work? @jesup or @ekr ? |
|
@martinthomson Aha - so if I'm correct your concern is that by allowing it to be transferred to a ServiceWorker, it would provide a way to subvert the lifetime limitations of a ServiceWorker? If so (and if other equivalent ways to subvert it don't exist, so this would be a new thing), then I can see bothering to disallow it. If it's not new to be able to extend the lifetime, I don't see the need to block it here. @feross - I don't see any short-term possibility of getting PeerConnections in ServiceWorkers. Without that, I don't see how this can achieve what you want. Even long-term, there will be serious questions about how this could be abused and affect privacy and performance. In any case, that would be a separate PR. |
|
I don't really follow the concerns about extending a service worker's lifetime. Service workers have |
|
(As for updating W3C HTML, I wouldn't bother. It's not maintained and no sane user agent implements from that.) |
|
+1 for DataChannels in ServiceWorkers, although I hope we can eventually get PeerConnections as well. |
|
This PR (and #445) needs work. If no one does the work it can't be part of 1.0. |
|
Closing while preparing for 1.0. It can be reopened later. |
|
@alvestrand @jesup it seems |
|
If you start working on this again please loop @domenic and I in. There have been some changes (mostly for the better in terms of what you needed last time this was discussed). |
|
Are there any technical limitations around exposing RTCDataChannel to Workers, before making them transferable from other worker scopes? |
No, it's just stalled, @feross opened an issue about it ~3 years ago. |
Per discussion in the list and frequent requests, here's a PR for Transferable RTCDataChannels. This likely isn't even officially needed, as adding it to the WhatWG list is likely all that's needed to make it transferable, but we should have a section on Transferability and the implications for in-flight events for implementors.