Security Considerations

Platform Security Model

SiliconGhetto’s security model operates at multiple layers, designed for a world where untrusted game code runs in users’ browsers.

WASM Sandboxing

WebAssembly provides strong isolation by design:

  • Linear memory is bounds-checked
  • No direct access to host filesystem or network
  • No access to DOM unless explicitly granted via imports
  • Memory is isolated between modules

Games running as WASM modules cannot escape the browser sandbox.

Content Security Policy

The platform enforces restrictive CSP per-game:

default-src 'self';
script-src 'self' 'wasm-unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob:;
connect-src 'self';
font-src 'self';
object-src 'none';
frame-ancestors 'self';

Key restrictions:

  • 'wasm-unsafe-eval' allows WASM execution without 'unsafe-eval'
  • No external script loading
  • No external connections (prevents data exfiltration)
  • No plugin/object embeds

Cross-Origin Isolation

Required for SharedArrayBuffer (WASM threading):

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

Impact:

  • All resources must be same-origin or have CORP/CORS headers
  • External embeds may break
  • Third-party analytics scripts may not work

Domain Isolation

Published games are served on subdomains:

  • game-slug.games.siliconghetto.com
  • Each game has its own origin
  • Cookies, localStorage, and other browser state are isolated per-origin
  • One game cannot access another game’s data

Upload Validation (Future)

When game publishing is implemented:

  1. Manifest validation: Schema compliance, required fields
  2. Size limits: WASM binary and total bundle size caps
  3. Content scanning: Automated checks for common abuse patterns
  4. Rate limiting: Per-user upload frequency limits
  5. Review queue: Flagged content held for manual review

Abuse Prevention

  • Rate limiting on all API endpoints
  • File size limits on uploads
  • WASM binary analysis for suspicious patterns
  • Community reporting mechanism
  • Automated takedown for policy violations

Subdomain Safety

If user-generated subdomains are introduced:

  • Slugs must be validated against reserved names
  • Trademark/impersonation concerns require moderation
  • DNS wildcard configuration limits subdomain scope
  • No user-controlled DNS records

Data Protection

  • No personally identifiable information stored in game bundles
  • Platform metadata (SQLite) backed up regularly
  • Artifact storage (S3) uses server-side encryption
  • No analytics tracking without explicit consent
  • GDPR-compatible data handling planned