[whatwg] origin+path namespacing and security

Ian Hickson wrote:
> 
> On Fri, 28 Aug 2009, Mike Wilson wrote:
> > 
> > My chain of thoughts is something like below (this is just 
> a general 
> > picture so don't take it too literally):
> > 
> > - invent a more restrictive mechanism for script access
> >   between documents from the same origin ("host") so it 
> >   can be limited based on a base path
> > - this mechanism needs a way to specify the blessed path,
> >   maybe something along the lines of document.domain or a
> >   response header
> > - the default blessed path should probably be as
> >   permissive as today to not break existing content on
> >   the Web (though maybe some smart algorithm may be
> >   developed that adds some restrictions)
> > - if new browsers implement this mechanism, it means it
> >   will be possible to secure all new HTML5 features
> >   implemented at the same time or later, as authors can
> >   depend on that, if a browser has feature X, then it also
> >   has path-based security
> > - old browsers will still ignore the new path-based
> >   restrictions, but they will not have the new HTML5
> >   features so these can not be exploited
> > - cookies will still be exploitable in old browsers and
> >   for legacy content, but as old browsers are phased out
> >   application authors can more and more depend on cookies
> >   also being "safe" based on configured path security
> 
> It's definitely too late to take on anything this radical in 
> the HTML5 time frame. I would recommend building experiments 
> on these lines, publishing papers and getting peer review, 
> and so on, to see what could be done on the long term.

Ok, that sort of defeats the point as it will not be possible
to depend on this security function for HTML5 features released
before its appearance in the standard - my idea was that f ex 
WebStorage would refer to (and require) the new enhanced 
security model. 
I'd say it is extremely difficult to add a stricter security 
model on to a released standard (with deployed browsers) in a 
way so authors can depend on it.

On the other hand, there hasn't been an overwhelmingly positive
response (understatement ;-) on this suggestion, so 
unfortunately I guess it might better be dropped.

Best regards
Mike

Received on Thursday, 3 September 2009 00:44:41 UTC