[WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

Gervase Markham gerv at gerv.net
Mon Aug 13 12:30:31 EDT 2007


anurag.agarwal at yahoo.com wrote:
> I totally agree with brian on this. Besides as per my discussion with 
> Mozilla guys in Blackhat, they were reaching out to webappsec community 
> to provide ideas and RSnake has a post related to this
> http://ha.ckers.org/blog/20070811/content-restrictions-a-call-for-input/

I don't particularly want to get into a big argument about this, but I'm 
fairly sure that:

"I submitted the concept to Rafael Ebron, who handed it off to Gerv. It 
went to the WHATWG, and that’s where it’s stayed for the last 3 years or 
so."

is incorrect in a couple of respects.

- I thought up Content Restrictions all on my own, without talking to 
rebron or anyone else. I will happily accept that other people may have 
been thinking along the same lines, at the same time or earlier; I don't 
know. But I wasn't inspired by them. As for Script Keys, they were 
actually inspired by a mistaken understanding of something Microsoft 
were doing!

- I'm pretty sure I was first to call that idea by this name. RSnake 
seems to be muddying the waters a little by talking about things like 
Brendan's <jail> proposal (or other, similar, 
restrict-what-goes-on-between-two-tags ideas, such as <sandbox>) under 
the name Content Restrictions.

- Content Restrictions has not been passed to the WHAT-WG. The delay in 
implementing it in the Mozilla codebase has merely been lack of time on 
my part, and (seemingly) lack of inclination on anyone else's. Although 
parts of it are Priority 1 items in the Firefox 3 Product Requirements 
Document. The WHAT-WG has been thinking about this problem independently 
(Hixie wrote up a summary of some different approaches, I believe 
including CR). But I don't think they've written a spec.

Gerv

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list