Security:Strawman Model: Difference between revisions
(→Types) |
|||
| Line 37: | Line 37: | ||
Window = record {parent:Object = null, | Window = record {parent:Object = null, | ||
location:String, | location:String, | ||
principal:Principal, | principal:Principal = urlPrincipal(location), | ||
opener:Window, | opener:Window = null, | ||
document:Document = null} | document:Document = null} | ||
</pre> | </pre> | ||
Revision as of 22:33, 2 August 2006
Types
Principal = (System, Origins, Unknown) // disjoint type union
System = {system} // system principal singleton
Origin = {origin1, ..., originN} // set of N origin principals
Origins = powerset(Origin) - {}
Unknown = {unknown} // unknown principal singleton
Request = {get, set, call} // principal requests of objects
Stack = array [Activation] // array of activation objects
where top() = this[this.length-1]
Activation = record {global:Window,
subject:Principal}
Object = record {parent:Object} // record with parent field
Document = record {parent:Object,
children:Array = []}
where appendChild(c) = (c.parent = this, this.children.push(c))
Link = record {parent:Object = null,
href:String,
text:String}
Button = record {parent:Object = null,
onclick:String,
text:String}
IFrame = record {parent:Object = null,
src:String,
content:Window = null}
Script = record {parent:Object = null,
content:String}
Window = record {parent:Object = null,
location:String,
principal:Principal = urlPrincipal(location),
opener:Window = null,
document:Document = null}
Grammar
Informal subset EBNF grammar for an XHTML-subset markup language, with embedded semantics, capitalized non-terminals, and quoted or lowercase terminals.
Document ::= document = new Document()
Content
Content ::= (Text | Markup)*
Text ::= text document.appendChild(new Text(text))
Markup ::= < 'a' 'href' '=' string '>' text '</' 'a' '>'
document.appendChild(new Link(string, text))
| < 'button' 'onclick' '=' string > text </ 'button' >
document.appendChild(new Button(string, text))
| < 'iframe' 'src' '=' string />
let frame:IFrame = new IFrame(string)
document.appendChild(frame)
frame.content = new Window("about:blank")
load(frame.content, string)
| < 'script' > text </ 'script' >
document.appendChild(new Script(text))
eval(text)
Definitions
Let P be the set of all principals.
Let <= be a binary relation by which P is partially ordered.
For all p in P, p <= system.
For all Origin principals p and q in P, !(p <= q) && !(q <= p).
For all p in P, unknown <= p.
For all principals p and q, there exists in P the greatest lower bound (p ^ q), the meet of p and q, defined by <=. (P, <=) is a meet semi-lattice.
For all p in P, (p ^ system) == p.
For all p in P, (p ^ unknown) == unknown.
Let stack:Stack = new Stack.
Let d:Document, o:Object, r:Request, s:String, w:Window, x:* in the following sections.
Functions
(The matches operator takes either a string right operand to prefix-match, or a `-quoted template, informally connoting a pattern to match. The result of matches is either the empty string on failure, which converts to false; or the matching prefix string on success.)
Let origin(s) = (s matches `scheme://hostpart`) || unknown.
Let pseudo(s) = !s || s matches 'about:' || s matches 'data:' || s matches 'javascript:'.
Let global() = stack.top().global.
Let subject() = stack.top().subject.
Let urlString(s) = s || 'about:blank'
Let urlPrincipal(s) = pseudo(s) ? subject() : origin(s).
Let open(s) = load(new Window(urlString(s), urlPrincipal(s), global()), s).
Let principal(x) = (x is Window) ? x.principal : principal(x.parent).
Let mapMeet(a) = a[0].subject ^ ... ^ a.top().subject.
Let canAccess(o, r) = allAccess(o, r) || principal(o) <= mapMeet(stack).