Re: WebAppSec re-charter status from Devdatta Akhawe on 2015-02-09 (public-webappsec@w3.org from February 2015)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 9 Feb 2015 08:48:39 -0800
To: Deian Stefan <deian@cs.stanford.edu>
Cc: Martin Thomson <martin.thomson@gmail.com>, Brad Hill <hillbrad@gmail.com>, Jeffrey Yasskin <jyasskin@google.com>, Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, David Ross <drx@google.com>, Dan Veditz <dveditz@mozilla.com>, Mounir Lamouri <mlamouri@google.com>, David Baron <dbaron@dbaron.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_3avMdNmE-_VcTfs5T6E+90pBf=WxEiNBq6a9mkQ3TGsA@mail.gmail.com>

> If I am not mistaken what you are proposing here is your work on DCS
> [2]. I like DCS, but this is a different system.  I think that web apps
> implementing the enforcement logic, while useful for more complex
> policies, is more difficult than associating a label with postMessages

Forgive me if I gave that impression. That was not my intention. I
actually think the ideas proposed in COWL are definitely what we want:
confinement for things like ads, third-party widgets without the heavy
cost of doing isolation via iframes. I think that was the general
motivation discussed at TPAC too, although maybe I am forgetting
something. So, for example, I am definitely in favor of something like
the workers in the proposal.

My only concern is whether or not we want to make "specify and
implement DC labels on the web patform" a part of the deliverable. It
seems you definitely want it to be part of the deliverable---but in
that case , I think the text should say this explicitly. I definitely
did not get that when I first read the text and we would have saved a
lot of email :)

cheers
Dev

> as a way of expressing security concern.  (Because of labels, the COWL
> confinement enforcement mechanism also piggy-backs on CSP.) But, more
> importantly, DCS cannot safely allow for a number of use cases that COWL
> does. For example, we would not be able to build mashups wherein the
> parties are mutually distrusting. This is because an iframe (or worker)
> cannot impose any restrictions on its parent and there is no way to
> impose confinement restrictions on cross-origin contexts.
>
> DCS and COWL have some similarities, but also have different goals, so
> it is natural that the approaches differ and excell at different things.
> I think they may even be complimentary.  But, if it's okay with you,
> Dev, I propose discussing DCS separately to avoid confusion.
>
> Thanks,
> Deian
>
> [1] http://www.scs.stanford.edu/~deian/pubs/stefan:2011:dclabels.pdf
> [2] http://devd.me/papers/dcs-esorics.pdf

Received on Monday, 9 February 2015 16:49:27 UTC