Confirmed users, Bureaucrats and Sysops emeriti
419
edits
FlowSafe: Difference between revisions
→FlowSafe: Information Flow Security for the Browser
(→To-do) |
|||
| Line 1: | Line 1: | ||
==FlowSafe: Information Flow Security for the Browser== | ==FlowSafe: Information Flow Security for the Browser== | ||
The central idea is to improve the default browser security model, which is "stuck" since 1995 at the | The central idea is to improve the default browser security model, which is "stuck" since 1995 at the [https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript Same-Origin Policy] with its underlying and conflicting [[DOM access control]] and [[JavaScript object-capability]] security layers. | ||
We aim to do this without breaking the web, and indeed with measurable improvements to safety property enforcement and security policy expressiveness. | We aim to do this without breaking the web, and indeed with measurable improvements to safety property enforcement and security policy expressiveness. | ||
| Line 9: | Line 9: | ||
* Improve default cross-site script integrity (ads, analytics) | * Improve default cross-site script integrity (ads, analytics) | ||
* Systematically enforce the Same-Origin Policy and better security policies by pervasive mediation | * Systematically enforce the Same-Origin Policy and better security policies by pervasive mediation | ||
* Reduce existing "caps", DOM, and [[ | * Reduce existing "caps", DOM, and [[JavaScript]] engine patch-work / leaky reference monitor code | ||
* Guarantee termination-insensitive non-interference for better confidentiality | * Guarantee termination-insensitive non-interference for better confidentiality | ||
* Explore timing and termination channel mitigations | * Explore timing and termination channel mitigations | ||