Robert O'Callahan wrote:
Is it fair to say that for Security_Checks_In_Glue, on entry to a DOM method we're just pre-evaluating all the security checks that would be performed during this method call by a correctly-implemented Scattered_Security_Checks?
If Security_Checks_In_Glue is done right, yes.
If that's so, then issues with correct principal switching and propagation go away as an implementation issue, but conceptually they still need to be considered by Security_Checks_In_Glue when we figure out what permissions are needed by each method.
Yes. Or at the very least we need to have a concept of methods that are "safe" or "not safe" to call, possibly depending on their arguments, and then look at the methods that the DOM method calls and see which ones are unsafe, and security-check those. At least to verify that we've correctly implemented security checking.
Maybe the thing to do is to go with Security_Checks_In_Glue, but replace our scattered security checks with security assertion annotations that are processed by some tool (say Oink-based) to statically verify that the glue checks ensure they won't fail.
Yes, if we can do it that would be wonderful! Toss this into the wiki? Or would you like me to?
-Boris _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
