[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

From: Gervase Markham <gerv@xxxxxxxx>
Subject: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Date: Mon, 13 Aug 2007 17:30:31 +0100

anurag.agarwal@xxxxxxxxx wrote:

I totally agree with brian on this. Besides as per my discussion with Mozilla guys in Blackhat, they were reaching out to webappsec community to provide ideas and RSnake has a post related to this http://ha.ckers.org/blog/20070811/content-restrictions-a-call-for-input/

I don't particularly want to get into a big argument about this, but I'm fairly sure that:

"I submitted the concept to Rafael Ebron, who handed it off to Gerv. It went to the WHATWG, and thatâs where itâs stayed for the last 3 years or so."

is incorrect in a couple of respects.

- I thought up Content Restrictions all on my own, without talking to rebron or anyone else. I will happily accept that other people may have been thinking along the same lines, at the same time or earlier; I don't know. But I wasn't inspired by them. As for Script Keys, they were actually inspired by a mistaken understanding of something Microsoft were doing!

- I'm pretty sure I was first to call that idea by this name. RSnake seems to be muddying the waters a little by talking about things like Brendan's <jail> proposal (or other, similar, restrict-what-goes-on-between-two-tags ideas, such as <sandbox>) under the name Content Restrictions.

- Content Restrictions has not been passed to the WHAT-WG. The delay in implementing it in the Mozilla codebase has merely been lack of time on my part, and (seemingly) lack of inclination on anyone else's. Although parts of it are Priority 1 items in the Firefox 3 Product Requirements Document. The WHAT-WG has been thinking about this problem independently (Hixie wrote up a summary of some different approaches, I believe including CR). But I don't think they've written a spec.

Gerv

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: anurag . agarwal

Prev by Date: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by Date: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Previous by thread: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by thread: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site