- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Mon, 09 Feb 2015 00:26:09 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, Brad Hill <hillbrad@gmail.com>, Jeffrey Yasskin <jyasskin@google.com>, Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, David Ross <drx@google.com>, Dan Veditz <dveditz@mozilla.com>, Mounir Lamouri <mlamouri@google.com>, David Baron <dbaron@dbaron.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Devdatta Akhawe <dev.akhawe@gmail.com> writes: > hmm .. maybe we are talking across each other --- so does the > requirement spec'ing that browsers implement the logic for DC (or > DIFC) labels? I am proposing the use of Disjunction Category Labels (DC labels) [1]. DC labels are just a way of saying to which origins is this data sensitive. For example, Label("https://a.com") says that a message labeled as such is sensitive to a.com; Label("https://a.com").and("https://b.com") says that it is sensitive to both a.com and b.com. The logic is a slight generalization of sub-origins. > I would rather that browsers do the confinement and allow webapp > JavaScript code to do interposition and implement whatever label / > flow system it desires. Your last email suggests that you also want > the same. If the proposal only about implementing confinement and > interposition, that sounds good to me (although, I share Mike's > concerns about side channels). If I am not mistaken what you are proposing here is your work on DCS [2]. I like DCS, but this is a different system. I think that web apps implementing the enforcement logic, while useful for more complex policies, is more difficult than associating a label with postMessages as a way of expressing security concern. (Because of labels, the COWL confinement enforcement mechanism also piggy-backs on CSP.) But, more importantly, DCS cannot safely allow for a number of use cases that COWL does. For example, we would not be able to build mashups wherein the parties are mutually distrusting. This is because an iframe (or worker) cannot impose any restrictions on its parent and there is no way to impose confinement restrictions on cross-origin contexts. DCS and COWL have some similarities, but also have different goals, so it is natural that the approaches differ and excell at different things. I think they may even be complimentary. But, if it's okay with you, Dev, I propose discussing DCS separately to avoid confusion. Thanks, Deian [1] http://www.scs.stanford.edu/~deian/pubs/stefan:2011:dclabels.pdf [2] http://devd.me/papers/dcs-esorics.pdf
Received on Monday, 9 February 2015 08:26:39 UTC