mozilla / browserid-crypto

INACTIVE - JavaScript implementation of JSON Web Signatures, JSON Web Tokens, and JSON Web Certificates

Home Page:http://identity.mozilla.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

add throttling to avoid long-running script errors for large keys/weak browsers

jaredhirsch opened this issue · comments

jwcrypto doesn't currently ever yield to the UI thread via setTimeout(), which means large keys (or crappy browsers like IE8 with not-necessarily-large keys) will lock up and/or throw the "long-running script" error. See callahad/mockmyid#4 for an example of this happening in real life.

The basic formula is simple, but making it work is tough: replace for loop with function call, increment a counter on each turn, yield to UI thread every so often.

Games are CPU-intensive but yield kindly to the UI thread, no reason we can't do the same here--especially if we want this library to be widely usable.

Ref on long-running scripts (5 million turns in IE) http://www.nczonline.net/blog/2009/01/05/what-determines-that-a-script-is-long-running/

mitigation is to use DSA for javascript client-generated keys.