Hey, glad you are reading this group. Ka-Ping Yee wrote: > I had a look at this page but i have a hard time understanding the > model.
Sorry, it was more of a brain-dump. Lacking the time to do it right before imposing it on readers, I went with "release early and often." > would you mind defining some of the concepts in your formal > syntax? For example -- what is a Request and who do you expect to > be making such Requests? Principals make Requests of Objects. The model is basically Lampson's [http://portal.acm.org/citation.cfm?doid=121133.121160, http://research.microsoft.com/~lampson/09-protection/WebPage.html]. In the wacky browser world, ignoring signed scripts, principals are "codebase principals" representing the origin (URL scheme://hostpart, not including path but including any optional port number after a : in hostpart) of the script making a request. Objects are mappings from string keys to arbitrary values -- the (key, value) pair, or sometimes just the value, is called a property. A principal may get, set or call a property (only callable properties can be successfully called, but since the system is dynamically typed at present, you have to get and test, or just attempt the call, to find out what's callable). A script downloaded via <script src="http://evil.org/bar.js"/> from an including web page at http://good.com/foo.html is given http://good.com as its origin. A script with origin "maps.good.com" can change its origin to "good.com" or even "com" by assigning the new origin string to document.domain. This allows other scripts from, e.g. "ads.good.com" to change their origin to the same domain name and join principals. > Could you state the English description > of each security property you're trying to enforce, next to the > formal rules that are intended to express that property? I will try, when I have more time; ideally by tomorrow. > What is > the purpose of the XHTML-subset language you've defined? To help specify the principal for pseudo (about:, data:, and javascript:) URLs loaded via static markup source. And to specify event handler principals. Also to specify script principals, in a future iteration that adds src=. > I'm sorry that i lack the previous context of your design discussion, > but i hope these clarifications will be useful to others as well as > myself. No need to apologize -- the unspecified world of browser security is nothing but context: bug histories, patch histories, ideas implemented 9 years ago based on Java security models that died, etc. Turning all of this context, too much of it in peoples' heads, into a spec, is the task I claim we face in order to avoid wandering in the wilderness of Hack-and-patch land. Help, including question/answer exchange a la the Socratic method at "web speed", is more than welcome. ;-) /be _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
