On Thu, Jan 29, 2015 at 10:50 PM, Yan Zhu y...@yahoo-inc.com wrote:
Say that resource Y is a javascript file that listens for users typing in
password fields and shows them a warning if the password is weak. The user
verifies and loads the HTML page that includes Y but an attacker then blocks
the request to fetch Y, so the user picks a weak password.
The application developer could cope with this in the top-layer code:
===
script
var passwordChecker = null;
...
/script
script src=password-checker.js/script
script
if (null == passwordChecker) {
// handle failure of security dependency
}
/script
===
Just as a native application developer should do:
===
void* passwordChecker = dlopen(password-checker.so, ...);
if (NULL == passwordChecker) {
// handle failure of security dependency
}
===
But,
My intuition is that most developers think about the security of their app as
a whole, not the security of their app minus any-given-subset-of-resources.
You're probably right, about both web developers and native code developers.
But, if we provide a declarative interface for the package format that
allows developers to declare that a given dependency should be
pre-loaded when possible and mandatorily pre-loaded, they might be
more likely to use that than to write the tedious error-handling code
like that above. I.e. we can create good affordances, and thus get the
benefits of security and performance most of the time.