I think asking browsers to implement any distributed information flow system is a big ask and to make it a deliverable for this WG an even bigger ask. I think creating confined containers (workers or iframes) that then allow some JS script to create simple information flow based policies is a simpler first step and a more concrete deliverable. Note that this in itself is not easy and it is not clear it can even be done---see Martin's notes about side-channels. --dev On 8 February 2015 at 19:26, Deian Stefan <deian@cs.stanford.edu> wrote: > > Hi Dev, > > Devdatta Akhawe <dev.akhawe@gmail.com> writes: > >> The paragraph on "robust confinement mechanism" doesn't seem as >> concrete a deliverable as most other things in the charter. What >> exactly are we planning to do? DIFC or DC labels in a browser? > > I was trying to use language similar to the other deliverables, but I'm > happy to expand and clarify further. > > The plan is to provide APIs for specifying policy in terms of (DC) > labels and extend browsing contexts with labels (and APIs for changing > this label). The context label dictates with whom the context can > communicate, for example, by mapping the label to an underlying CSP > policy and sandbox-flags and checking labels when sending messages. > > An alternative (to DIFC) way of thinking about this is in terms of CSP: > when communicating with a party COWL ensures that the target's CSP is at > least as restricting as the sender's. > >> I think the second paragraph on light-weight workers is a clear >> deliverable and will be difficult enough. With that, a large part of >> the goals of the first paragraph on confinement can be achieved in an >> extensible manner, imo. > > I think that the light-weight worker deliverable is pretty > straightforward. And it can also be separately from the first part. I do > think that different components can be defined modularly as you > suggest. But, it is not enough to just define the workers to do > confinement. (I am not sure if that's what you meant by "With that".) > > Thanks, > DeianReceived on Monday, 9 February 2015 06:44:20 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC