W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: Deian Stefan <deian@cs.stanford.edu>
Date: Sun, 08 Feb 2015 23:17:51 -0800
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Brad Hill <hillbrad@gmail.com>, Jeffrey Yasskin <jyasskin@google.com>, Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, David Ross <drx@google.com>, Dan Veditz <dveditz@mozilla.com>, Mounir Lamouri <mlamouri@google.com>, David Baron <dbaron@dbaron.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Message-ID: <87y4o7mu3k.fsf@cs.stanford.edu>
Devdatta Akhawe <dev.akhawe@gmail.com> writes:

> I think asking browsers to implement any distributed information flow
> system is a big ask and to make it a deliverable for this WG an even
> bigger ask. I think creating confined containers (workers or iframes)
> that then allow some JS script to create simple information flow based
> policies is a simpler first step and a more concrete deliverable. Note
> that this in itself is not easy and it is not clear it can even be
> done---see Martin's notes about side-channels.

Sorry, but "confined containers (workers or iframes) that ... allow some
JS script to create simple information flow based policies" is
essentially what the goal of the COWL spec is.

I agree that side channels are a concern if you consider malicious code,
but confining code that is not malicious is still useful. And COWL's
covert-channel assumption is the same as that of the existing CSP
directives that deal with exfiltration. I don't think we need to
eliminate covert channels to improve security.

Cheers,
Deian
Received on Monday, 9 February 2015 07:18:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC