hmm .. maybe we are talking across each other --- so does the requirement spec'ing that browsers implement the logic for DC (or DIFC) labels? I would rather that browsers do the confinement and allow webapp JavaScript code to do interposition and implement whatever label / flow system it desires. Your last email suggests that you also want the same. If the proposal only about implementing confinement and interposition, that sounds good to me (although, I share Mike's concerns about side channels). cheers Dev On 8 February 2015 at 23:17, Deian Stefan <deian@cs.stanford.edu> wrote: > Devdatta Akhawe <dev.akhawe@gmail.com> writes: > >> I think asking browsers to implement any distributed information flow >> system is a big ask and to make it a deliverable for this WG an even >> bigger ask. I think creating confined containers (workers or iframes) >> that then allow some JS script to create simple information flow based >> policies is a simpler first step and a more concrete deliverable. Note >> that this in itself is not easy and it is not clear it can even be >> done---see Martin's notes about side-channels. > > Sorry, but "confined containers (workers or iframes) that ... allow some > JS script to create simple information flow based policies" is > essentially what the goal of the COWL spec is. > > I agree that side channels are a concern if you consider malicious code, > but confining code that is not malicious is still useful. And COWL's > covert-channel assumption is the same as that of the existing CSP > directives that deal with exfiltration. I don't think we need to > eliminate covert channels to improve security. > > Cheers, > DeianReceived on Monday, 9 February 2015 07:36:21 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC