7171 < h1 class ="p-name no-ref " id ="title "> Confinement with Origin Web Labels</ h1 >
7272
7373 < h2 class ="no-num no-toc no-ref heading settled " id ="subtitle "> < span class ="content "> Editor’s Draft,
74- < time class ="dt-updated " datetime ="2015-09-05 " > 5 September 2015</ time > </ span > </ h2 >
74+ < time class ="dt-updated " datetime ="2015-09-09 " > 9 September 2015</ time > </ span > </ h2 >
7575
7676 < div data-fill-with ="spec-metadata ">
7777 < dl >
@@ -319,18 +319,18 @@ <h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </s
319319
320320 < p > This document specifies an extension to the current model called
321321 Confinement with Origin Web Labels (COWL). COWL provides authors
322- with APIs for specifying access control policies on data, including
323- content, in terms of < a data-link-type ="dfn " href ="#origin-label "> origin labels</ a > . These policies are
324- enforced in a mandatory fashion, transitively, even once code has
325- access to the data. For example, with COWL, the author of
326- < code > https://example.com</ code > can specify that a password is
327- confidential to < code > https://example.com</ code > (and thus should
328- only be disclosed to < code > https://example.com</ code > ) before
329- sharing it with a third-party password strength checking service. In
330- turn, COWL ensures that the third-party service, which necessarily
331- computes on the sensitive password, is confined and respects the
332- policy on the password: COWL disallows it from disclosing the
333- password to any < a data-link-type ="dfn " href ="https://tools.ietf.org/html/rfc6454#section-3.2 "> origin</ a > other than
322+ with APIs for specifying (mandatory) access control policies on
323+ data, including content, in terms of < a data-link-type ="dfn " href ="#origin-label "> origin labels</ a > . These
324+ policies are enforced in a mandatory fashion, transitively, even
325+ once code has access to the data. For example, with COWL, the
326+ author of < code > https://example.com</ code > can specify that a
327+ password is confidential to < code > https://example.com</ code > (and
328+ thus should only be disclosed to < code > https://example.com</ code > )
329+ before sharing it with a third-party password strength checking
330+ service. In turn, COWL ensures that the third-party service, which
331+ necessarily computes on the sensitive password, is confined and
332+ respects the policy on the password: COWL disallows it from
333+ disclosing the password to any < a data-link-type ="dfn " href ="https://tools.ietf.org/html/rfc6454#section-3.2 "> origin</ a > other than
334334 < code > https://example.com</ code > .</ p >
335335
336336
@@ -358,11 +358,11 @@ <h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </s
358358
359359 < p > COWL is intended to be used as a defense-in-depth mechanism that can
360360 restrict how untrusted—buggy but not malicious—code
361- sensitive data. Given the complexities of browser implementations
362- and presence of covert channels, malicious code may be able to
363- exfiltrate data. Authors should still use discretionary access
364- control mechanisms, such as CSP and CORS, to restrict access to the
365- data in the first place.</ p >
361+ handles sensitive data. Given the complexities of browser
362+ implementations and presence of covert channels, malicious code may
363+ be able to exfiltrate data. Authors should still use discretionary
364+ access control mechanisms, such as CSP and CORS, to restrict access
365+ to the data in the first place.</ p >
366366
367367
368368 < section >
@@ -766,15 +766,16 @@ <h3 class="heading settled" data-level="2.1" id="key-concepts-labels"><span clas
766766
767767
768768
769- < div class ="example " id ="example-6618ece2 "> < a class ="self-link " href ="#example-6618ece2 "> </ a >
769+ < div class ="example " id ="example-b7c7efed "> < a class ="self-link " href ="#example-b7c7efed "> </ a >
770770 The integrity label
771771 < code > < a class ="idl-code " data-link-type ="interface " href ="#label0 "> Label</ a > ("https://a.com").or("https://b.com")</ code > ,
772772 when associated with a context, restricts the context to
773773 receiving data from (a context or server) that is at least as
774774 trustworthy as < code > https://a.com</ code > or
775775 < code > https://b.com</ code > . This context label ensures that
776- the code running in the context can only be influenced by
777- < code > https://a.com</ code > and < code > https://b.com</ code > .
776+ the code running in the context can only be influenced by data
777+ which either < code > https://a.com</ code > or
778+ < code > https://b.com</ code > endorse.
778779 </ div >
779780
780781
@@ -873,7 +874,7 @@ <h3 class="heading settled" data-level="2.2" id="key-concepts-privileges"><span
873874 < li data-md ="">
874875 < p > A < dfn data-dfn-type ="dfn " data-noexport ="" id ="privilege "> privilege< a class ="self-link " href ="#privilege "> </ a > </ dfn > is an unforgeable object that corresponds
875876 to a < a data-link-type ="dfn " href ="#label "> label</ a > . Privileges are associated with contexts and
876- reflect the authority of the context .</ p >
877+ reflect their authority.</ p >
877878
878879
879880
@@ -885,8 +886,8 @@ <h3 class="heading settled" data-level="2.2" id="key-concepts-privileges"><span
885886
886887
887888
888- < div class ="example " id ="example-e8c74689 "> < a class ="self-link " href ="#example-e8c74689 "> </ a >
889- Consider a context whose
889+ < div class ="example " id ="example-c90a85dd "> < a class ="self-link " href ="#example-c90a85dd "> </ a >
890+ Consider a context from < code > https://a.com </ code > whose
890891 < a data-link-type ="dfn " href ="#current-confidentiality-label "> current confidentiality label</ a > is < code > < a class ="idl-code " data-link-type ="interface " href ="#label0 "> Label</ a > ("https://a.com").and("https://b.com")</ code > .
891892 This label confines the context to only communicating with
892893 entities whose labels are at least as restricting as this
@@ -897,17 +898,17 @@ <h3 class="heading settled" data-level="2.2" id="key-concepts-privileges"><span
897898 from communicating with < code > https://a.com</ code > .
898899
899900
900- < p > But, suppose that the context’s < a data-link-type ="dfn " href ="#current-privilege "> current privilege</ a > corresponds
901- to < code > < a class ="idl-code " data-link-type ="interface " href ="#label0 "> Label</ a > ("https://a.com")</ code > , as
902- would be the case for an
903- < code > https://a.com </ code > context. Then, the context would be able to
904- bypass some of the restrictions imposed by the context label.
905- Specifically, the context would be able to communicate with
906- < code > https://b.com</ code > ; the privilege confers it the
907- right to declassify < code > https://a.com</ code > data to
908- < code > https://b.com</ code > . Indeed, when taking this privilege into
909- consideration, the < a data-link-type ="dfn " href ="#effective-confidentiality-label "> effective confidentiality label</ a > of
910- the context is < code > < a class ="idl-code " data-link-type ="interface " href ="#label0 "> Label</ a > ("https://b.com")</ code > .</ p >
901+ < p > But, suppose that the context’s < a data-link-type ="dfn " href ="#current-privilege "> current privilege</ a >
902+ corresponds to < code > < a class ="idl-code " data-link-type ="interface " href ="#label0 "> Label</ a > ("https://a.com")</ code >
903+ (afterall, the context originated from < code > https://a.com </ code > ).
904+ Then, the context would be able to bypass some of the
905+ restrictions imposed by the context label. Specifically, the
906+ context would be able to communicate with
907+ < code > https://b.com</ code > ; the privilege confers it the right
908+ to declassify < code > https://a.com</ code > data to
909+ < code > https://b.com</ code > . Indeed, when taking this privilege
910+ into consideration, the < a data-link-type ="dfn " href ="#effective-confidentiality-label "> effective confidentiality label</ a >
911+ of the context is < code > < a class ="idl-code " data-link-type ="interface " href ="#label0 "> Label</ a > ("https://b.com")</ code > .</ p >
911912
912913
913914
@@ -920,7 +921,7 @@ <h3 class="heading settled" data-level="2.2" id="key-concepts-privileges"><span
920921
921922 < div class ="note " role ="note ">
922923 To be flexible, COWL uses the context privilege to remove
923- (the safe) restrictions imposed by the < a data-link-type ="dfn " href ="#context-labels "> context label</ a > .
924+ certain restrictions imposed by the < a data-link-type ="dfn " href ="#context-labels "> context label</ a > .
924925 To avoid accidentally leaking sensitive context data,
925926 authors should use < a class ="idl-code " data-link-type ="interface " href ="#labeledobject "> LabeledObject</ a > s.
926927 </ div >
@@ -1051,7 +1052,7 @@ <h2 class="heading settled" data-level="3" id="framework"><span class="secno">3.
10511052 The COWL framework provides a JavaScript
10521053 < a class ="idl-code " data-link-type ="interface " href ="#privilege0 "> Privilege</ a > interface for operating on and minting
10531054 new < a data-link-type ="dfn " href ="#privilege "> privileges</ a > . The < a class ="idl-code " data-link-type ="interface " href ="#cowl "> COWL</ a > JavaScript
1054- interface and < code > Sec-COWL</ code > HTTP response header can be used
1055+ interface and < code > Sec-COWL</ code > HTTP response header can be
10551056 used to explicitly control the authority of a context by setting
10561057 the < a data-link-type ="dfn " href ="#context-privilege "> context privilege</ a > .
10571058
@@ -1317,7 +1318,7 @@ <h4 class="heading settled" data-level="3.1.2" id="labe-methods"><span class="se
13171318
13181319 < li data-md ="">
13191320 < p > For each < a data-link-type ="dfn " href ="#disjunction-set "> disjunction set</ a > < var > dset</ var > in the
1320- < a data-link-type ="dfn " href ="#label-set "> label set</ a > of the < a data-link-type ="dfn " href ="#label "> label</ a > this method was invoked on:</ p >
1321+ < a data-link-type ="dfn " href ="#label-set "> label set</ a > of the < a data-link-type ="dfn " href ="#label "> label</ a > , this method was invoked on:</ p >
13211322
13221323
13231324
@@ -1409,6 +1410,14 @@ <h4 class="heading settled" data-level="3.1.2" id="labe-methods"><span class="se
14091410 let < var > origin</ var > be a < a data-link-type ="dfn " href ="https://tools.ietf.org/html/rfc6454#section-2.3 "> globally unique identifier</ a > .</ p >
14101411
14111412
1413+
1414+ < div class ="note " role ="note ">
1415+ Much like < a data-link-type ="functionish " href ="#dom-privilege-freshprivilege "> FreshPrivilege()</ a > ,
1416+ < code > "unique"</ code > is used to create a label
1417+ component that is globally unique.
1418+ </ div >
1419+
1420+
14121421
14131422 < li data-md ="">
14141423 < p > Else, if < var > str</ var > is < code > "self"</ code > and < var > self</ var > is not null,
@@ -2710,9 +2719,10 @@ <h3 class="heading settled" data-level="3.5" id="header"><span class="secno">3.5
27102719
27112720
27122721
2713- < pre > < dfn data-dfn-type ="dfn " data-noexport ="" id ="label_set "> label-set< a class ="self-link " href ="#label_set "> </ a > </ dfn > = "[" < a data-link-type ="dfn " href ="#disjunction_set "> disjunction-set</ a > *( "," [ < a data-link-type ="dfn " href ="#disjunction_set "> disjunction-set</ a > ] ) "]"
2722+ < pre > < dfn data-dfn-type ="dfn " data-noexport ="" id ="label_set "> label-set< a class ="self-link " href ="#label_set "> </ a > </ dfn > = "[" < a data-link-type ="dfn " href ="#disjunction_set "> disjunction-set</ a > *( "," [ < a data-link-type ="dfn " href ="#disjunction_set "> disjunction-set</ a > ] ) "]" / < a data-link-type =" dfn " href =" #empty_label " > empty-label </ a >
27142723< dfn data-dfn-type ="dfn " data-noexport ="" id ="disjunction_set "> disjunction-set< a class ="self-link " href ="#disjunction_set "> </ a > </ dfn > = "[" [ < a data-link-type ="dfn " href ="#source_expression "> source-expression</ a > *( "," [ < a data-link-type ="dfn " href ="#source_expression "> source-expression</ a > ] ) ] "]"
27152724< dfn data-dfn-type ="dfn " data-noexport ="" id ="source_expression "> source-expression< a class ="self-link " href ="#source_expression "> </ a > </ dfn > = "'self'" / < a data-link-type ="dfn " href ="https://www.w3.org/TR/CSP2/#source-list-syntax "> host-source</ a >
2725+ < dfn data-dfn-type ="dfn " data-noexport ="" id ="empty_label "> empty-label< a class ="self-link " href ="#empty_label "> </ a > </ dfn > = "[" *< a data-link-type ="dfn " href ="https://tools.ietf.org/html/rfc5234#appendix-B.1 "> WSP</ a > "[" *< a data-link-type ="dfn " href ="https://tools.ietf.org/html/rfc5234#appendix-B.1 "> WSP</ a > "]" *< a data-link-type ="dfn " href ="https://tools.ietf.org/html/rfc5234#appendix-B.1 "> WSP</ a > "]"
27162726</ pre >
27172727
27182728
@@ -2755,8 +2765,8 @@ <h4 class="heading settled" data-level="3.5.1" id="request-header"><span class="
27552765
27562766
27572767
2758- < div class ="example " id ="example-89644cdc "> < a class ="self-link " href ="#example-89644cdc "> </ a >
2759- Request header from an < code > http://a.com</ code > page that has
2768+ < div class ="example " id ="example-da414d56 "> < a class ="self-link " href ="#example-da414d56 "> </ a >
2769+ Request header from a < code > http://a.com</ code > page that has
27602770 read data sensitive to < code > http://b.com</ code > .
27612771
27622772 < pre > < code > Sec-COWL: < a data-link-type ="dfn " href ="#ctx_confidentiality "> ctx-confidentiality</ a > [ ['https://b.com'] ];
@@ -2977,6 +2987,18 @@ <h4 class="heading settled" data-level="3.6.1" id="sending-labeled-objects"><spa
29772987 User agents MUST ensure that all < a data-link-type ="dfn " href ="#protected-object "> protected object</ a > s can be
29782988 serialized at the time of creating < a class ="idl-code " data-link-type ="interface " href ="#labeledobject "> LabeledObject</ a > s.</ p >
29792989
2990+
2991+
2992+ < div class ="note " role ="note ">
2993+ This algorithm does not check if the integrity label of
2994+ the object subsumes the server’s integrity label. It is
2995+ the server’s responsibility to ensure that untrustworthy
2996+ data does not affect its computation in an unsafe way.
2997+ Indeed, the only reason for checking the confidentiality
2998+ labels is because the user agent has no way to ensure that
2999+ the server will respect the confidentiality of the data.
3000+ </ div >
3001+
29803002</ ol >
29813003
29823004
@@ -3233,7 +3255,7 @@ <h5 class="heading settled" data-level="3.6.2.1" id="labeledobject-xhr-receive-e
32333255
32343256{
32353257 "confidentiality": [[]],
3236- "integrity": [["https://validator .com"]],
3258+ "integrity": [["https://provider .com"]],
32373259 "object": ...
32383260}
32393261</ code > </ pre >
@@ -4060,9 +4082,13 @@ <h3 class="heading settled" data-level="4.8" id="should-block-fetch"><span class
40604082</ ol > </ ol >
40614083
40624084
4063- < p class ="note " role ="note "> Note, the integrity label of the current context is not
4064- used in this algorithm since, conceptually, the integrity label of
4065- a server is the < a data-link-type ="dfn " href ="#empty-label "> empty label</ a > and, thus, always subsumed.</ p >
4085+ < p class ="note " role ="note "> Note, the integrity label of the current context is not used in
4086+ this algorithm since, conceptually, the integrity label of a
4087+ server is the < a data-link-type ="dfn " href ="#empty-label "> empty label</ a > and, thus, always subsumed.
4088+ Server operators should check the
4089+ < a href ="#request-header "> < code > Sec-COWL</ code > </ a > request header
4090+ to ensure untrustworthy data does not affect the computation in an
4091+ unsafe way.</ p >
40664092
40674093
40684094 </ section >
@@ -4788,6 +4814,7 @@ <h3 class="no-num heading settled" id="index-defined-here"><span class="content"
47884814 < li > effective confidentiality label, < a href ="#effective-confidentiality-label "> 2.2</ a >
47894815 < li > effective integrity label, < a href ="#effective-integrity-label "> 2.2</ a >
47904816 < li > empty label, < a href ="#empty-label "> 3.1</ a >
4817+ < li > empty-label, < a href ="#empty_label "> 3.5</ a >
47914818 < li > empty privilege, < a href ="#empty-privilege "> 3.2</ a >
47924819 < li > enable(), < a href ="#dom-cowl-enable "> 3.3.2</ a >
47934820 < li > equals(other), < a href ="#dom-label-equalsother "> 3.1.2</ a >
0 commit comments