W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: Component Model is not an Isolation Model

From: Dimitri Glazkov <dglazkov@chromium.org>
Date: Thu, 10 Mar 2011 14:10:21 -0800
Message-ID: <AANLkTik+_kocA3x=9Qe0+Y0sq1Eo4eyiQO52SutAa+0O@mail.gmail.com>
To: robert@ocallahan.org
Cc: Boris Zbarsky <bzbarsky@mit.edu>, public-webapps <public-webapps@w3.org>
On Thu, Mar 10, 2011 at 1:57 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
> On Fri, Mar 11, 2011 at 8:54 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> CDNs of various sorts, dedicated hostnames for different sorts of content
>> (a la existing images.something.com setups), that sort of thing.
>> If we want to not allow cross-site loading at all, those cases break. If
>> we want to allow it, we should try to make it hard to shoot yourself in the
>> foot by doing it, imo.
> OK, but those are all generally loading from trusted sites, like <script>
> does.
> I understand that it would be nice to improve on <script> by protecting
> against potential compromise of the other site. However, if document authors
> and component API authors don't think hard about the possibility of their
> component turning hostile (and I am very confident that they won't!), I fear
> that the component will be able to wreak havoc in the container via the APIs
> exposed by the component. For example, if we try to enforce protection via a
> capability model, it's easy to accidentally leak capabilities through a
> carelessly designed API.
> So I'm worried that protecting containers from components will be a burden
> on the component model that doesn't lead to much practical benefit. But
> maybe I worry too much :-).

No, I agree that this is a real concern. You are right, we must do
better than just tell authors to use object capabilities.

I am hoping to be able to use component encapsulation as enough of the
separation to be able to just have a big lever (FRIEND<-->ENEMY)  to
_slide_ a membrane between the component and its host. This is still
thinking in progress :)

> Rob
> --
> "Now the Bereans were of more noble character than the Thessalonians, for
> they received the message with great eagerness and examined the Scriptures
> every day to see if what Paul said was true." [Acts 17:11]
Received on Thursday, 10 March 2011 22:10:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:16 UTC