- From: Oda, Terri <terri.oda@intel.com>
- Date: Fri, 21 Aug 2015 14:17:22 -0700
- To: Nick Doty <npdoty@w3.org>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
- Message-ID: <CACoC0R_0+d8GKwQXo=NedQ98+zjT-P4WLm4QemgS067ctq2OFw@mail.gmail.com>
On Mon, Aug 17, 2015 at 10:15 AM, Nick Doty <npdoty@w3.org> wrote: > I like seeing exercises to model security explicitly and I'm sure we could > use more practice on this for the Web. I would be very curious to hear what > you experts have to say as feedback on this particular model (what is it > useful for? what would make it more useful?) and what other models might > already be out there to look at. > > > http://emergentchaos.com/archives/2015/08/towards-a-model-of-web-browser-security.html > > > For me, I noticed a couple things missing or different than I would have > expected. This might just be a diff of my personal mental model of Web > security, but hopefully the feedback is still useful. > One thing that concerns me a bit about this model is the separation of "static" and "dynamic" dependency and includes. A number of current web problems arise from people using mental models that expect static content/behaviour when instead they get dynamic content/behaviour. (e.g. XSS, but also more subtle things used for fingerprinting, or even "html5+css is turing complete" type issues) In the modern web, the distinction between static and dynamic is pretty blurry both by design (and soemtimes by rendering accidents), so it could well be more useful for a security model if all includes were considered to be potentially dynamic.
Received on Friday, 21 August 2015 21:17:55 UTC