- From: Brad Porter <brad@tellme.com>
- Date: Tue, 31 Oct 2006 10:25:49 -0800
- To: "W3C Security (Public)" <public-wsc-wg@w3.org>
Hello everyone, I am Brad Porter. "Brad" works just fine. I work for Tellme Networks across many domains including security and all our standards work. I initiated our work a VoiceXML browser and was a heavy contributor to VoiceXML 2.0. Prior to Tellme I worked for Netscape. I have a history of playing at the edge of the browser/Java/Javascript sandbox. My thesis work included abusing the Java classloader to create a self-modifying Java applet. At Netscape I was abusing the LiveConnect capabilities to build instant messaging into Netcaster. At Tellme I've been a strong advocate of separating dynamic data from presentation data for a few years now, but I've been trying to push to securely enable cross-domain access to dynamic data. Toward that end, I've been abusing the XML processing instruction construct to enable document-level access-control specification [1]. I'm personally excited to see the web framework (globally accessible uniquely identified resources that can be dynamically loaded, parsed with a standard parser, run-time interpreted, and linked together in a secure sandbox) move beyond the confines of a monolithic desktop hypertext system into other domains (voice-response, mobile, desktop widgets). I am most concerned by the lack of a clear security sandbox model that is agreed upon or auditable. Clear interfaces are necessary for robust security. The lack of a clear sandbox model also increases the barrier to entry in building a browser for a new domain and prevents anyone from modifying or extending the sandbox to expand the capabilities of the web. Brad [1] Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0 http://www.w3.org/TR/access-control/
Received on Tuesday, 31 October 2006 18:26:01 UTC