The browser is an environment that is hard to imagine how to control with
ACLs, but capabilities seem to fit right in. Let’s consider a gadget, for example.
A gadget is, when you get down to it, a piece of javascript supplied by one
site running in a page supplied by another. From a security point of view this
presents an interesting dilemma: it is very likely that the user has different
levels of trust for the two pieces of code (say, for example, that the enclosing
page is Google Mail and the gadget is provided by god-knows-who) – but from
a traditional security point of view they are indistinguishable – they both run
as the same user and they are both effectively on the same page. Furthermore
the objects that one might want to protect (contact lists, contents of emails
and so forth) are effectively invisible to the operating system’s access control
mechanisms, and to the browser’s (if only it had any).
The view in a capability world could not be more different. In this case
the gadget is entirely at the mercy of the enclosing page, which can decide in
infinite detail what the gadget has access to and how. What’s more, providing
these detailed capabilities to the gadget is as easy and natural as providing
Javascript objects to it. Indeed, in the case of Caja, at least, that is precisely
how capabilities are implemented: as Javascript objects.
No comments:
Post a Comment