Talk:Site isolation/GA1

GA Review
The edit link for this section can be used to add comments to the review.''

Reviewer: RoySmith (talk · contribs) 17:04, 4 March 2024 (UTC)

starting review. RoySmith (talk) 17:04, 4 March 2024 (UTC)


 * "following the release of the Spectre and Meltdown vulnerabilities to the public", that's an odd way to phrase it. You "release" software.  I think what you meant here is "disclosure" or something similar.


 * " While previously accessing restricted memory was a relatively involved process requiring a compromised renderer, the Spectre vulnerability made it much easier to access arbitrary memory." I would rewrite that as "Spectre made it much easier to access arbitrary memory; this was previously a complicated process which required a compromised renderer." The next sentence ("This exposed...") is kind of convoluted.  I'm particularly confused by what "as using JavaScript" is supposed to be saying.
 * I've tried simplifying this


 * "Over the years, multiple versions of the site isolation architecture have been proposed." This sentence doesn't say much.  I'd drop it and just start with "In 2009, Reis et all..."


 * "This was subsequently improved upon ...", how about, "This was improved upon in by the Gazelle research browser..."


 * "based on their web principal" explain what a "web principal" is.
 * The part after the comma briefly explains what a web-principal is.


 * "the OP ... IBOS, Tahoma and the SubOS browser": browsers (plural)


 * "Google Chrome released a conference paper" I'd say that as "Reis, et al of the Google Chrome project presented a paper at USENIX ..."


 * "the idea of websites frames" I'm guessing you meant "websites'" (plural possessive) or "a website's"?


 * "a feature that had been suggested by the Gazelle web browser" browsers don't suggest, people do. Perhaps "used by Gazelle" or "suggested by Gazelle's authors"?


 * "requiring over 4000 commits over a period of 5 years" avoid repetition, so "more than 4000 commits from 320 contributors over a period of..."


 * "Chrome's implementation of site isolation allowed them" Chrome is not a person, so "them" can't be used to refer to it. "allowed it", I guess?


 * "which allowed attackers to compromise the same-origin policy": written like that, it's not clear if it is "Chrome's implementation" or "uXSS attacks" which are doing the allowing.
 * "attacks reported in between", omit "in"


 * "by the deployment on Site Isolation.": on -> of. Also, why is Site Isolation capitalized?


 * "preventing various variations" Just one of the "v" words is enough.


 * "Firefox announced" -> "The Firefox development team"


 * "iterated on a few of the flaws". You iterate on successes.  You address or fix flaws.


 * "the fact that similar web pages were still vulnerable to uXSS attacks." similar to what?
 * "Similar to Chrome, the project..." avoid repetition of the word "similar"


 * "Historically, site isolation has only been implemented by research browsers" Be more specific about what "Historically" means. Prior to some particular year?  Prior to some specific browser release?


 * "This was because the approach was considered" -> "The approach was considered..."


 * "resource and memory intensive due to increase in the amount of memory space taken up by the processes." This sentence got lost somewhere.  Memory is a kind of resource, so "resource and memory" is redundant.  And "memory intensive" is redundant with "increase in the amount of memory space taken up".


 * "This was reflected in real world implementations as well", it's unclear what "This" refers to.
 * Clarified


 * "took one to two cores more" link "core" to Central processing unit (or some other target if there's on that's more appropriate).


 * "not considered a silver bullet"; that's jargon. Perhaps "not considered a panacea"?  Also, who is doing the considering here?
 * That would have been Microsoft Reasearch, but you are right, that line isn't the best, I've tried to reword that part.

OK, that's it for a first reading. Overall, this is looking pretty good. I still need to come back for another read after you've addressed the issues I've noted above, plus copyright checks and reference spot-checks. I may not get back to that for a few days. RoySmith (talk) 18:02, 4 March 2024 (UTC)


 * Oh, one other thing; while not strictly required, it would be helpful if this could be illustrated with some block diagrams of how the various browser components interact with each other and how they are distributed among processes in the various architectures. Also, different operating systems have somewhat different concepts of what a process is.  If you could find anything which talks about how those differences affect implementations of site isolation on different platforms, that would be useful. RoySmith (talk) 18:09, 4 March 2024 (UTC)
 * I've added a diagram. I wasn't able to find much discussion about the comparism between different process implementations :( Sohom (talk) 03:29, 8 March 2024 (UTC)

Source spotcheck: 2, 5, 6, 12, 17 vs Special:Permalink/1211912654
 * The entire last paragraph of Background is cited to refs 5 & 6. Ref 5 is a 16 page paper.  The paragraph talks about both Spectre and Meltdown.  Ref 5 mentions neither of those.  Ref 6 only mentions Spectre.  This really needs to be cited at a finer resolution, citing specific page numbers in ref 5, and teasing apart which statements are supported by which of the two references.
 * I've added some new sources that mention both Spectre and Meltdown and specified which pages I am citing.


 * Ref 6 is a self-published blog, but I'm willing to accept it as a WP:RS based on the authors being subject matter experts.
 * "Around the same time, work was also being done on the OP (which would later become the OP2 browser), IBOS, Tahoma and the SubOS browsers all of which proposed different paradigms to solve the issue of process separation amongst sites.[8][2]" As far as I can tell, everything in this sentence is supported by ref-8 (section "7 Related Work"), so I'm not sure what value also citing it to ref-2 has.
 * Ref 2 provides a break down of each of the research browser's methodologies. While it is not strictly required, it would be useful to a more technical reader who might want to dig deeper.


 * Ref 2 is 20 pages; please provide more detailed citations including page numbers.


 * "The Chrome team found that all 94 uXSS attacks ..." this sentence is cited to refs 11 & 12, neither of which mentions 94 uxss attacks.
 * Fixed


 * Ref 17 is 20 pages long. Please provide more specific citations to page numbers.

As far as copyright problems go, a scan with Earwig turned up nothing of concern. RoySmith (talk) 20:00, 5 March 2024 (UTC)

RoySmith (talk) 19:58, 5 March 2024 (UTC)


 * @Sohom Datta I've placed this on hold. Please address the above issues in the next 7 days, thanks. RoySmith (talk) 18:37, 7 March 2024 (UTC)
 * @RoySmith I've addressed your points above. Let me know if there are any more concerns/issues :) Sohom (talk) 15:31, 8 March 2024 (UTC)
 * Looks good, thanks. Nice article.  It's amazing how sophisticated some of these attacks are. RoySmith (talk) 15:47, 8 March 2024 (UTC)