Re: Security use cases for packaging from Brad Hill on 2015-01-29 (public-webappsec@w3.org from January 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 29 Jan 2015 22:04:22 +0000
To: Yan Zhu <yzhu@yahoo-inc.com>, Chris Palmer <palmer@google.com>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Deian Stefan <deian@cs.stanford.edu>
Message-ID: <CAEeYn8izPtJ9+4yA_HEXMZwdkJGYE6rBGc9a=cudj8hHSPVOjw@mail.gmail.com>

Paging (future Dr.) Deian Stefan to the ER...

Any thoughts on using COWL for this kind of thing, with a pinned crypto key
as a confinement label to be combined with the regular Origin label?

-Brad

On Thu Jan 29 2015 at 1:43:05 PM Yan Zhu <yzhu@yahoo-inc.com> wrote:

> chris palmer wrote:
>
> > But other code from the same origin might not be signed, which could
> > break the security assertion of code signing.
>
>
> Maybe the code from the downloaded package has to be run from a local
> origin like chrome://*.
>
>

Received on Thursday, 29 January 2015 22:04:49 UTC