On 1/8/13 8:14 AM, Boris Zbarsky wrote:
On 1/8/13 2:09 AM, Ian Hickson wrote:
In the spec's security model, origins are never relevant for elements
except when we're looking at the element's data.

Yes.  I think the spec's security model is not viable long-term, for
what it's worth, and think we should be designing a security model that
is instead...

Just to clarify this. You may want to talk to sicking and Mounir about what they discovered about security models in the course of getting partially-elevated-privileges web apps to work.

I suspect we'll need more of that sort of thing as time goes on. Which means the security model will likely need to evolve.

Which in turn means that I believe we should not be designing APIs and other functionality around the current security model, especially if the dependency is non-obvious (and I would argue that any dependency not spelled out in the section describing the security model is non-obvious, because it's too easy to miss it when updating the security model). What I think we ahould be doing instead is designing with the assumption that some core set of things is true (and we can argue about what set that is), but making as few assumptions as possible in general.

Put another way, I think we have good evidence that the security model in the spec, as well as that in every browser, Gecko included, is wrong in the same sense that Newtonian mechanics is wrong. The problem is that we don't know what our equivalent of special relativity is yet.

-Boris

Reply via email to