Confirmed users, Bureaucrats and Sysops emeriti
419
edits
FlowSafe: Difference between revisions
→To-do
(→To-do) |
(→To-do) |
||
| Line 17: | Line 17: | ||
Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See [[http://slang.soe.ucsc.edu/cormac/papers/plas09.pdf]] for a paper on part of the work. | Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See [[http://slang.soe.ucsc.edu/cormac/papers/plas09.pdf]] for a paper on part of the work. | ||
# Add <code> | # Add <code>JSTrustLabel</code> to the JS API, a union of <code>JSPrincipals</code> (trust labels replace principals) | ||
# Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points | # Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points | ||
# Add a <code> | # Add a <code>JSTrustLabeledValue</code> <code>jsval</code> pseudo-boolean variant | ||
# <code>JSScript</code> has a <code> | # <code>JSScript</code> has a <code>JSTrustLabel</code> | ||
# Interpreter <code>pc</code> has a <code> | # Interpreter <code>pc</code> has a <code>JSTrustLabel</code> | ||
# Variable objects (even those optimized away) have a <code> | # Variable objects (even those optimized away) have a <code>JSTrustLabel</code> | ||
# DOM, other host objects have labels | # DOM, other host objects have trust labels | ||
# Exceptions, etc. | # Exceptions, etc. | ||