Securer Contexts? from Mike West on 2020-02-05 (public-webappsec@w3.org from February 2020)

From: Mike West <mkwst@google.com>
Date: Wed, 5 Feb 2020 15:44:40 +0100
To: Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <CAKXHy=duVcDiCfdJMP=yKTussfX2zQ5tY9bSaiX68JJh4PDdrQ@mail.gmail.com>

Hey folks,

In the context of the set of side-channel-mitigating isolation primitives
that we've discussed on the past few calls, I've been thinking about the
notion of Secure Contexts. TL;DR: I think limiting the scope of that
mechanism to the transport layer was a great idea in 2015; I think 2020 is
a great time to revisit and expand it to include the threats we care deeply
about today.

I sketched out a proposal for an updated threat model in
https://github.com/mikewest/securer-contexts/, which includes
COOP/COEP/CORP on the one hand, and hand-waves at injection mitigation on
the other.

I'd appreciate feedback, either here on the list, in the GitHub repository,
or on the design review request at
https://github.com/w3ctag/design-reviews/issues/471. :)

Thanks!

-mike

Received on Wednesday, 5 February 2020 14:44:56 UTC