Hi v8-dev, We (Cloudflare Workers team) are wondering how V8 feels about the security of the ValueDeserializer API. Do you believe it's safe to parse possibly-malicious input with this? My understanding is that Chrome does not provide any way to input attacker-controlled bytes to the API today, so wasn't sure if it's designed for that.
I ask because we'd like to expose V8 serialization in Cloudflare Workers for compatibility with Node.js, which already exposes this. But our threat model is very different from Node, such that we care a lot more about the security of the V8 sandbox. Relatedly, is ValueDeserializer covered by fuzzing today? Thanks, -Kenton -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/9ef9ee6e-9e03-4127-8065-6c891b153d16n%40googlegroups.com.
