Re: Security use cases for packaging from Ilya Grigorik on 2015-01-29 (public-webappsec@w3.org from January 2015)

From: Ilya Grigorik <igrigorik@google.com>
Date: Fri, 30 Jan 2015 09:41:42 +1100
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Yan Zhu <yzhu@yahoo-inc.com>, Chris Palmer <palmer@google.com>, "public-webapps@w3.org" <public-webapps@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADXXVKrx4zy4XxOMeNhZ3nvTkt372fHGk-UfYOZLDjb8=3qYmA@mail.gmail.com>

Would it be possible to meet the security goals without assuming that the
response body is part of the package? See [1] for background on why that's
beneficial.. at least for performance side of the story. I'm picturing a
package description where each resource has a SRI token, plus a signature
to authenticate the tree of resources / package description itself?

[1] http://lists.w3.org/Archives/Public/public-web-perf/2015Jan/0008.html

On Fri, Jan 30, 2015 at 9:27 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> > Maybe the code from the downloaded package has to be run from a local
> origin like chrome://*.
>
> Doesn't the same issue that Chris raised still exist? You need a unit
> of isolation that says "only code signed with this public key runs in
> this isolation compartment". Chrome extensions have that model.
> Whether we achieve this via origins, COWLs, or origin+key as the
> identifier, is a separate question, but Chris' high level bit remains true.
>
> cheers
> dev
>
>

Received on Thursday, 29 January 2015 22:42:49 UTC