Re: WebAppSec re-charter status

Mike West <> writes:

> +dveditz, dbaron, annevk from Mozilla. Hi!

> On Wed, Feb 4, 2015 at 1:16 PM, Wendy Seltzer <> wrote:
>> > (1) The "Confinement with Origin Web Labels" deliverable is described
>> >      in a way that makes it unclear what the deliverable would do.  It
>> >      should be clearer.  Furthermore, the lack of clarity means we
>> >      couldn't evaluate whether we are comfortable with it being in the
>> >      charter.
> +Deian, perhaps you can come up with a paragraph or so clarifying the
> proposed deliverable?

Thanks, Mike.

Maybe we can replace the deliverable paragraph with the following:

Create and advance a recommendation for a robust JavaScript confinement
system for modern web browsers, in a way that is backward-compatible
with legacy web content.  The goal of the specification is to define APIs for
specifying privacy and integrity policies on data, in the form of origin
labels, and a mechanism for confining browsing contexts (pages, iframes,
etc.) according to these labels. This would allow Web application authors
and server operators to share data with untrusted code (e.g., in a
mashup scenario, cross-origin iframes) yet impose restrictions on how
the code can further share the sensitive data.

An additional goal is to define a light-weight, in-thread Web Worker.
This would allow developers to build privilege-separated,
compartmentalized applications, in addition to sandboxing potentially
untrusted scripts.

Any suggestions on this are more then welcome. I am happy to go into
more detail as well -- I left things high-level to match the description
of the other proposals.

David (dbaron) and Anne (annevk):

If it helps with the evaluation:

There are some more details (case study, example code, and paper that
describes things in detail) at

The talk from TPAC:


Received on Thursday, 5 February 2015 19:22:50 UTC