W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: Component Model is not an Isolation Model

From: Robert O'Callahan <robert@ocallahan.org>
Date: Fri, 11 Mar 2011 10:57:18 +1300
Message-ID: <AANLkTi=_R3v0NCafyi95yqtd=02ci0-H5R8pyQAfjzZ5@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Dimitri Glazkov <dglazkov@chromium.org>, public-webapps <public-webapps@w3.org>
On Fri, Mar 11, 2011 at 8:54 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> CDNs of various sorts, dedicated hostnames for different sorts of content
> (a la existing images.something.com setups), that sort of thing.
>
> If we want to not allow cross-site loading at all, those cases break. If we
> want to allow it, we should try to make it hard to shoot yourself in the
> foot by doing it, imo.
>

OK, but those are all generally loading from trusted sites, like <script>
does.

I understand that it would be nice to improve on <script> by protecting
against potential compromise of the other site. However, if document authors
and component API authors don't think hard about the possibility of their
component turning hostile (and I am very confident that they won't!), I fear
that the component will be able to wreak havoc in the container via the APIs
exposed by the component. For example, if we try to enforce protection via a
capability model, it's easy to accidentally leak capabilities through a
carelessly designed API.

So I'm worried that protecting containers from components will be a burden
on the component model that doesn't lead to much practical benefit. But
maybe I worry too much :-).

Rob
-- 
"Now the Bereans were of more noble character than the Thessalonians, for
they received the message with great eagerness and examined the Scriptures
every day to see if what Paul said was true." [Acts 17:11]
Received on Thursday, 10 March 2011 21:57:51 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:43 GMT