I wonder what the security is like for that layer, if that layer can access stuff not assigned to it
I wonder what the security is like for that layer, if that layer can access stuff not assigned to it. Sounds like a bountyable thing to dig into
Cthere was a nice blog post recently about that: https://blog.cloudflare.com/workers-environment-live-object-bindings
The Cloudflare Blog
Bindings don't just reduce boilerplate. They are a core design feature of the Workers platform which simultaneously improve developer experience and application security in several ways. Usually these two goals are in opposition to each other, but bindings elegantly solve for both at the same time
Cshouldn't be able to reach anything not assigned at all
SIn theory. But it shares an issue workers have in that they use isolates, and a vm escape or another branch prediction exploit and bad news
Cand they've got a bunch of protections against that: https://developers.cloudflare.com/workers/reference/security-model/, but yea
SThat also decries giving everything access to everything which is ironic given if you can edit the toml you can also access everythig
Cthey don't always get put in a shared process either
Sometimes, though, Cloudflare does decide to schedule a Worker in its own private process. Cloudflare does this if the Worker uses certain features that needs an extra layer of isolation. For example, when a developer uses the devtools debugger to inspect their Worker, Cloudflare runs that Worker in a separate process
SUsing dev tools is a pretty manual process though
SFor PCI and HIPAA compliance they'll have to offer isolation as an option
SThough those measures often a separate process isn't even enough
SSpectre proved a lowly browser could access kernel memory, spooky stuff
SIt'd be neat if you could bind certain columns or tables in R1 to workers as opposed to the whole DB
Cwould be interesting, probably require a fair bit of custom sqlite patches though
SSqlite already supports authorization hooks
SSo less than you'd think
SCloudflares cloudified, distributed sqlite
Cit's D1, not R1 lol
SThese names are...less than great lmao
CR2D1, beep boop
SI can't ever not get them mixed up
CThe D is for "not actually Distributed yet"
SOr Dsqlite
SNext cursed idea, postgresql durable object running via a wasm runtime
CCD1 cheats because they have their own custom saving/storage stuff, and sqlite is embedded into the runtime
SYou could probably deeply compress the wasm
SAlso that emulates x86 and creates an entire networking stack from scratch
SThe wasm API doesn't work as expected in workers? That's lame, eliminates possibility of jitting
SGitHub
Lightweight Postgres packaged as WASM into a TypeScript library for the browser, Node.js, Bun and Deno - electric-sql/pglite
SDynamic wasm is a lot safer than dynamic js
SThough restricting dynamic js is kinda silly too
Pwhy not wasm?
LIf a customer receives a CF 503 Page from an endpoint that is backed by a worker, is that always an issue with CF connecting to the worker? I don't see any logs in my worker in these cases
CWhat do you mean "cf connecting to the worker"? Workers execute on the same machine that gets the request (unless you have smart placement enabled), not like it has to go anywhere. If your worker fetches an external host and returns the result, I would assume the 503 is from that
CIs it cloudflare branded normal error page (https://cloudflare.com/cdn-cgi/error/503), or is it black & white and looks like a nginx error page? Do you get any other error code in the visible error (like a internal 1xxxx/10xxx)?
Sit'd be neat if we could have authorizer workers that used sqlite3_set_authorizer for all db requests
LShows error 1105, the error is kind of vague though
Nplease tell me its possible to fetch() with a client-side ssl certificate?
Nim trying to implement apple pay
Nwelp according to what i'm reading online - no way to put it in fetch(), and to upload custom edge certificates you need business plan or higher, which is $200/mo?
Nwell yeah thats what im tryna do
Napple pay expects me to use a cert from them and a key i got
Nin nodejs, i did dispatcher: new Agent({
connect: {
cert: readFileSync(join(dirname, "../app/apple_pay.pem"), "utf8"),
key: readFileSync(join(dirname, "../app/key.pem"), "utf8"),
},
}),
connect: {
cert: readFileSync(join(dirname, "../app/apple_pay.pem"), "utf8"),
key: readFileSync(join(dirname, "../app/key.pem"), "utf8"),
},
}),
Nthe only thing I can find talking about mtls is having incoming requests be verified
Nare you aware whether it works for pages, or I have to use workers?
Nthank you
Nill try to put it directly in the pages project
Nif that doesnt work ill go workers
Nthank you very much!
THello does the workers working with pdf-js package?
Jyes, I'm using it successfully
