Re: WebAppSec re-charter status

On 9 February 2015 at 09:58, Brad Hill <> wrote:
> What do folks think?

Thanks for doing that Brad, this is better.

Now that this is clearer, I think that I can identify the problem, here:

> This would allow Web application authors and server operators to share data with untrusted code (e.g., in a mashup scenario, cross-origin iframes) yet impose restrictions on how the code can further share the sensitive data.

This is, as I understand it, a problem for which there is currently no
good solution.  The papers I've read on this acknowledge the existence
of the side channels that are available, but don't have good answers
on how to address the problem.

For instance, no solution has been offered to deal with the fact that
the sandboxed code could peg the CPU in order to exfiltrate data.

Received on Monday, 9 February 2015 00:24:20 UTC