- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Mon, 09 Feb 2015 00:26:09 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, Brad Hill <hillbrad@gmail.com>, Jeffrey Yasskin <jyasskin@google.com>, Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, David Ross <drx@google.com>, Dan Veditz <dveditz@mozilla.com>, Mounir Lamouri <mlamouri@google.com>, David Baron <dbaron@dbaron.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Devdatta Akhawe <dev.akhawe@gmail.com> writes:
> hmm .. maybe we are talking across each other --- so does the
> requirement spec'ing that browsers implement the logic for DC (or
> DIFC) labels?
I am proposing the use of Disjunction Category Labels (DC labels)
[1]. DC labels are just a way of saying to which origins is this data
sensitive. For example, Label("https://a.com") says that a message
labeled as such is sensitive to a.com;
Label("https://a.com").and("https://b.com") says that it is sensitive to
both a.com and b.com. The logic is a slight generalization of
sub-origins.
> I would rather that browsers do the confinement and allow webapp
> JavaScript code to do interposition and implement whatever label /
> flow system it desires. Your last email suggests that you also want
> the same. If the proposal only about implementing confinement and
> interposition, that sounds good to me (although, I share Mike's
> concerns about side channels).
If I am not mistaken what you are proposing here is your work on DCS
[2]. I like DCS, but this is a different system. I think that web apps
implementing the enforcement logic, while useful for more complex
policies, is more difficult than associating a label with postMessages
as a way of expressing security concern. (Because of labels, the COWL
confinement enforcement mechanism also piggy-backs on CSP.) But, more
importantly, DCS cannot safely allow for a number of use cases that COWL
does. For example, we would not be able to build mashups wherein the
parties are mutually distrusting. This is because an iframe (or worker)
cannot impose any restrictions on its parent and there is no way to
impose confinement restrictions on cross-origin contexts.
DCS and COWL have some similarities, but also have different goals, so
it is natural that the approaches differ and excell at different things.
I think they may even be complimentary. But, if it's okay with you,
Dev, I propose discussing DCS separately to avoid confusion.
Thanks,
Deian
[1] http://www.scs.stanford.edu/~deian/pubs/stefan:2011:dclabels.pdf
[2] http://devd.me/papers/dcs-esorics.pdf
Received on Monday, 9 February 2015 08:26:39 UTC