W3C home > Mailing lists > Public > xml-dist-app@w3.org > May 2000

Re: Web RPCs Considered Harmful

From: Ken MacLeod <ken@bitsko.slc.ut.us>
Date: 13 May 2000 12:02:25 -0500
To: <xml-dist-app@w3.org>
Message-ID: <x5hfc24c4e.fsf@bitsko.slc.ut.us>
"Dave Winer" <dave@userland.com> writes:

> What would be the most practical, easy and low-tech way to add a
> layer of security, using current best-practices of the Internet?
> 
> Rather than seeing this a time to put the brakes on, could we get
> into problem solving mode and have an answer that can easily be
> implemented in conjunction with the RPC work?

Since the problem is not one of active security (access control), but
of passive security (unintended faults), the solution isn't really
something one puts into a specification.

The current best-practice of the Internet for solving the passive
security problem is "sandboxing", highly restricting the environment
and access to resources from where code runs so that when that code
fails it is still confined to the sandbox.

Java and JavaScript, as examples, are designed with sandboxing as a
core feature.

  -- Ken
Received on Saturday, 13 May 2000 12:56:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:58:56 GMT