Confirmed users, Bureaucrats and Sysops emeriti
419
edits
Security:Strawman Model: Difference between revisions
→Types
No edit summary |
(→Types) |
||
| Line 1: | Line 1: | ||
=== Notes === | |||
The goal is to write down formal semantics for JavaScript security in Mozilla. This is ambitious, and it may end up taking a long time (e.g. to write operational semantics). I'm starting with semi-formal scribblings. | |||
The hard cases we want to handle include pseudo-URLs such as javascript:, loaded via static markup and dynamic script. Also we need to model the allAccess (and others?) policy available via the <code>capability.policy...</code> preferences. Finally, we must model the system principal, since that's what chrome: uses. | |||
In order to avoid unsound assumptions and contradictions in the current code, I'm not modeling the detailed control stack walking rules implemented by caps. And to avoid modeling JS execution fully, I've simplified the control stack to track window objects. So if a chain of functions in one window's scope calls across windows into another global scope, the model stack grows by one item, a reference to the second global. | |||
The goal is to prove that this model enforces the access control policies we claim to support: same origin sandboxing for web content, and least privilege for mixtures of chrome and content functions on the control stack. | |||
=== Types === | === Types === | ||
<pre> | <pre> | ||