On 1/8/13 8:14 AM, Boris Zbarsky wrote:
On 1/8/13 2:09 AM, Ian Hickson wrote:
In the spec's security model, origins are never relevant for elements
except when we're looking at the element's data.
Yes. I think the spec's security model is not viable long-term, for
what it's worth, and think we should be designing a security model that
is instead...
Just to clarify this. You may want to talk to sicking and Mounir about
what they discovered about security models in the course of getting
partially-elevated-privileges web apps to work.
I suspect we'll need more of that sort of thing as time goes on. Which
means the security model will likely need to evolve.
Which in turn means that I believe we should not be designing APIs and
other functionality around the current security model, especially if the
dependency is non-obvious (and I would argue that any dependency not
spelled out in the section describing the security model is non-obvious,
because it's too easy to miss it when updating the security model).
What I think we ahould be doing instead is designing with the assumption
that some core set of things is true (and we can argue about what set
that is), but making as few assumptions as possible in general.
Put another way, I think we have good evidence that the security model
in the spec, as well as that in every browser, Gecko included, is wrong
in the same sense that Newtonian mechanics is wrong. The problem is
that we don't know what our equivalent of special relativity is yet.
-Boris
