Re: Component Model is not an Isolation Model

On Thu, Mar 10, 2011 at 1:57 PM, Robert O'Callahan <> wrote:
> On Fri, Mar 11, 2011 at 8:54 AM, Boris Zbarsky <> wrote:
>> CDNs of various sorts, dedicated hostnames for different sorts of content
>> (a la existing setups), that sort of thing.
>> If we want to not allow cross-site loading at all, those cases break. If
>> we want to allow it, we should try to make it hard to shoot yourself in the
>> foot by doing it, imo.
> OK, but those are all generally loading from trusted sites, like <script>
> does.
> I understand that it would be nice to improve on <script> by protecting
> against potential compromise of the other site. However, if document authors
> and component API authors don't think hard about the possibility of their
> component turning hostile (and I am very confident that they won't!), I fear
> that the component will be able to wreak havoc in the container via the APIs
> exposed by the component. For example, if we try to enforce protection via a
> capability model, it's easy to accidentally leak capabilities through a
> carelessly designed API.
> So I'm worried that protecting containers from components will be a burden
> on the component model that doesn't lead to much practical benefit. But
> maybe I worry too much :-).

No, I agree that this is a real concern. You are right, we must do
better than just tell authors to use object capabilities.

I am hoping to be able to use component encapsulation as enough of the
separation to be able to just have a big lever (FRIEND<-->ENEMY)  to
_slide_ a membrane between the component and its host. This is still
thinking in progress :)

> Rob
> --
> "Now the Bereans were of more noble character than the Thessalonians, for
> they received the message with great eagerness and examined the Scriptures
> every day to see if what Paul said was true." [Acts 17:11]

Received on Thursday, 10 March 2011 22:10:56 UTC