W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: Deian Stefan <deian@cs.stanford.edu>
Date: Thu, 05 Feb 2015 11:22:17 -0800
To: Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, David Ross <drx@google.com>, Dan Veditz <dveditz@mozilla.com>, Mounir Lamouri <mlamouri@google.com>, David Baron <dbaron@dbaron.org>, Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec\@w3.org" <public-webappsec@w3.org>
Message-ID: <87vbjgp3iu.fsf@cs.stanford.edu>
Mike West <mkwst@google.com> writes:

> +dveditz, dbaron, annevk from Mozilla. Hi!

> On Wed, Feb 4, 2015 at 1:16 PM, Wendy Seltzer <wseltzer@w3.org> wrote:
>> > (1) The "Confinement with Origin Web Labels" deliverable is described
>> >      in a way that makes it unclear what the deliverable would do.  It
>> >      should be clearer.  Furthermore, the lack of clarity means we
>> >      couldn't evaluate whether we are comfortable with it being in the
>> >      charter.
> +Deian, perhaps you can come up with a paragraph or so clarifying the
> proposed deliverable?

Thanks, Mike.

Maybe we can replace the deliverable paragraph with the following:

Create and advance a recommendation for a robust JavaScript confinement
system for modern web browsers, in a way that is backward-compatible
with legacy web content.  The goal of the specification is to define APIs for
specifying privacy and integrity policies on data, in the form of origin
labels, and a mechanism for confining browsing contexts (pages, iframes,
etc.) according to these labels. This would allow Web application authors
and server operators to share data with untrusted code (e.g., in a
mashup scenario, cross-origin iframes) yet impose restrictions on how
the code can further share the sensitive data.

An additional goal is to define a light-weight, in-thread Web Worker.
This would allow developers to build privilege-separated,
compartmentalized applications, in addition to sandboxing potentially
untrusted scripts.

Any suggestions on this are more then welcome. I am happy to go into
more detail as well -- I left things high-level to match the description
of the other proposals.

David (dbaron) and Anne (annevk):

If it helps with the evaluation:

There are some more details (case study, example code, and paper that
describes things in detail) at http://cowl.ws/

The talk from TPAC: http://cowl.ws/talks/cowl-w3c.pdf

Received on Thursday, 5 February 2015 19:22:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC