It would be a good thing, wouldn't it? For over a decade, the browser security model has been evolving in spurts between periods of deathly stillness. The rules have stabilized for same-origin sandboxing, at least for common DOM APIs. But a great deal of the DOM was never standardized, including the whole of "Level 0" including window objects. XHR's infamous same-origin restriction gives people fits and drives them to take chances with script src='s hazards.
In general, security mechanism and policy were never defined or agreed upon using an open standardization process, so browser implementors have had to reverse-engineer, read open source, and chase after XSS bugs to achieve both interoperation and safety -- which may be at odds. Moreover, for Mozilla with chrome and content windows, and XUL apps and extensions built using chrome, we have a non-standard model. It's more powerful and (of course) more vulnerable. It was unsound without XPCNativeWrappers, from the get-go. Even with wrappers it seems unsound to me. Then there is GreaseMonkey, which also mixes trust labels within the same sandbox, a risky proposition. We clearly need more degrees of sandboxing than "runs as you" and "runs as a crippled mid-90s web app's window-bound JS". A lot of great research work has been done over the years, especially in the last ten years, yielding results such as information flow type systems and data-tainting compiler/virtual-machine combos that can uphold important security properties such as confidentiality (no send on socket after secret read from filesystem, e.g.), while allowing useful browser-based computation and user interaction including sanitization. We are poised to benefit from this work. But if we keep wasting time patching an unsound system, we will die the death of a thousand cuts. We need to specify the system and then move our code to match the spec. So I thought to write down some kind of semi-formal set of definitions and rules, from which inductive or other proofs could be done. This is hard, and it wants to turn into some kind of operational semantics. The first rough cut is at http://wiki.mozilla.org/Security:Strawman_Model. Comments and questions welcome. I have had fruitful exchanges with bz over IRC, cut short by our other work. It would be great to recap them here and build on them. /be _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
