[cap-talk] Polaris tickle, POLA for Internet access, URLs

[David Wagner]

Jed writes:
>>David Wagner wrote:
>>>I believe by far the largest source of security holes is in the
>>>specification (of desired functionality), not necessarily in the
>>>implementation.  For instance, take Javascript.
>
>Specifically by limiting the rights of the process interpreting
>the Javascript to essentially the ability to read the input data and
>the ability to generate a pixel map with links to be displayed.

But then it wouldn't be Javascript anymore; it would be some poorly
designed scripting language with lame syntax that has suddenly been
rendered useless to web developers.  (As opposed to Javascript today,
which is a poorly designed scripting language with lame syntax that web
developers consider very useful.)

With the changes you suggest, existing web pages would no longer work.
Existing features could not be supported by this new language.  (To give
a simple example, consider a button that changes color when your mouse
passes over it.)  Web developers would scream bloody murder.

It's not much of a solution.  It would be simpler just to ditch Javascript
entirely.  The only reason that web developers like Javascript is because
it gives them so many powers.  If you remove those powers, they won't be
happy any more, and you won't be able to support lots of the functionality
they like to provide.

So I'm back to where I started.  I believe it is the specification of
the desired functionality that is the problem, not the implementation
strategy for supporting that functionality.  I can't see any way to
provide the web developers with what they want and still retain security,
and I don't see how capabilities changes that conclusion in any way.