On Thu, Jan 29, 2015 at 10:50 PM, Yan Zhu wrote:
> Say that resource Y is a javascript file that listens for users typing in
> password fields and shows them a warning if the password is weak. The user
> verifies and loads the HTML page that includes Y but an attacker then blocks
> the request to fetch Y, so the user picks a weak password.
The application developer could cope with this in the top-layer code:
===
var passwordChecker = null;
...
if (null == passwordChecker) {
// handle failure of security dependency
}
===
Just as a native application developer should do:
===
void* passwordChecker = dlopen("password-checker.so", ...);
if (NULL == passwordChecker) {
// handle failure of security dependency
}
===
But,
> My intuition is that most developers think about the security of their app as
> a whole, not the security of their app minus any-given-subset-of-resources.
You're probably right, about both web developers and native code developers.
But, if we provide a declarative interface for the package format that
allows developers to declare that a given dependency should be
pre-loaded when possible and mandatorily pre-loaded, they might be
more likely to use that than to write the tedious error-handling code
like that above. I.e. we can create good affordances, and thus get the
benefits of security and performance most of the time.