- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Thu, 05 Feb 2015 11:22:17 -0800
- To: Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, David Ross <drx@google.com>, Dan Veditz <dveditz@mozilla.com>, Mounir Lamouri <mlamouri@google.com>, David Baron <dbaron@dbaron.org>, Anne van Kesteren <annevk@annevk.nl>
- Cc: "public-webappsec\@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> writes: > +dveditz, dbaron, annevk from Mozilla. Hi! > On Wed, Feb 4, 2015 at 1:16 PM, Wendy Seltzer <wseltzer@w3.org> wrote: > >> > (1) The "Confinement with Origin Web Labels" deliverable is described >> > in a way that makes it unclear what the deliverable would do. It >> > should be clearer. Furthermore, the lack of clarity means we >> > couldn't evaluate whether we are comfortable with it being in the >> > charter. >> > > +Deian, perhaps you can come up with a paragraph or so clarifying the > proposed deliverable? Thanks, Mike. Maybe we can replace the deliverable paragraph with the following: Create and advance a recommendation for a robust JavaScript confinement system for modern web browsers, in a way that is backward-compatible with legacy web content. The goal of the specification is to define APIs for specifying privacy and integrity policies on data, in the form of origin labels, and a mechanism for confining browsing contexts (pages, iframes, etc.) according to these labels. This would allow Web application authors and server operators to share data with untrusted code (e.g., in a mashup scenario, cross-origin iframes) yet impose restrictions on how the code can further share the sensitive data. An additional goal is to define a light-weight, in-thread Web Worker. This would allow developers to build privilege-separated, compartmentalized applications, in addition to sandboxing potentially untrusted scripts. Any suggestions on this are more then welcome. I am happy to go into more detail as well -- I left things high-level to match the description of the other proposals. David (dbaron) and Anne (annevk): If it helps with the evaluation: There are some more details (case study, example code, and paper that describes things in detail) at http://cowl.ws/ The talk from TPAC: http://cowl.ws/talks/cowl-w3c.pdf Thanks, Deian
Received on Thursday, 5 February 2015 19:22:50 UTC