Re: WebAppSec re-charter status

hmm .. maybe we are talking across each other --- so does the
requirement spec'ing that browsers implement the logic for DC (or
DIFC) labels?

I would rather that browsers do the confinement and allow webapp
JavaScript code to do interposition and implement whatever label /
flow system it desires. Your last email suggests that you also want
the same. If the proposal only about implementing confinement and
interposition, that sounds good to me (although, I share Mike's
concerns about side channels).

cheers
Dev

On 8 February 2015 at 23:17, Deian Stefan <deian@cs.stanford.edu> wrote:
> Devdatta Akhawe <dev.akhawe@gmail.com> writes:
>
>> I think asking browsers to implement any distributed information flow
>> system is a big ask and to make it a deliverable for this WG an even
>> bigger ask. I think creating confined containers (workers or iframes)
>> that then allow some JS script to create simple information flow based
>> policies is a simpler first step and a more concrete deliverable. Note
>> that this in itself is not easy and it is not clear it can even be
>> done---see Martin's notes about side-channels.
>
> Sorry, but "confined containers (workers or iframes) that ... allow some
> JS script to create simple information flow based policies" is
> essentially what the goal of the COWL spec is.
>
> I agree that side channels are a concern if you consider malicious code,
> but confining code that is not malicious is still useful. And COWL's
> covert-channel assumption is the same as that of the existing CSP
> directives that deal with exfiltration. I don't think we need to
> eliminate covert channels to improve security.
>
> Cheers,
> Deian

Received on Monday, 9 February 2015 07:36:21 UTC