Post-Spectre Threat Model Re-Think

&gt; We don’t believe it’s possible to eliminate, coarsen, or jitter all explicit and implicit clocks in the Open Web Platform (OWP) in a way that is sufficient to fully resolve Spectre.<p>I&#x27;m not sure, but I think they are giving up on the best strategy here. The holy grail is for untrusted code to be totally deterministic, so that it cannot exploit Spectre or any other side channel attack.<p>Browser Javascript, which is historically single-threaded and event driven, is much closer to this than native code ecosystems where there are decades of investment in shared memory multithreading (which is very hard to make deterministic!) I don&#x27;t think it would be impossible to make a JS engine where any given Javascript event handler and all the synchronous APIs it can call are deterministic, so that all interaction with the nondeterministic outside world is through events (and the &quot;outgoing&quot; side of these interactions would be delayed until the event handler stops running). Then I think you could make it so that the runtime of JS isn&#x27;t measurable, or at least is only extremely coarsely measurable, via these events.

&gt; for example ensuring that password and credit card info are not speculatively loaded into a renderer process without user consent<p>Great that they&#x27;re thinking about this, but I can&#x27;t help but think many users will happily just copy-paste their CC details into random sites protected with a password of &quot;password&quot;.<p>There&#x27;s obviously strength in depth for security, and I applaud the developers for caring so much when users will attempt to subvert all security measures.