A specification of the browser's intended security model would be excellent -- it would give definitive answers to security developers as to what constitutes a security bug, and definitive answers to JavaScript developers as to what guarantees they can rely upon. I applaud the idea.
> So I thought to write down some kind of semi-formal set of definitions > and rules, from which inductive or other proofs could be done. > > This is hard, and it wants to turn into some kind of operational > semantics. The first rough cut is at > http://wiki.mozilla.org/Security:Strawman_Model. I had a look at this page but i have a hard time understanding the model. would you mind defining some of the concepts in your formal syntax? For example -- what is a Request and who do you expect to be making such Requests? Could you state the English description of each security property you're trying to enforce, next to the formal rules that are intended to express that property? What is the purpose of the XHTML-subset language you've defined? I'm sorry that i lack the previous context of your design discussion, but i hope these clarifications will be useful to others as well as myself. Thanks! -- ?!ng _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
