[cap-talk] Google Chrome - web browser with sandboxed rendering
Toby Murray
toby.murray at comlab.ox.ac.uk
Fri Sep 5 05:06:40 CDT 2008
On Fri, 2008-09-05 at 10:52 +0100, Ben Laurie wrote:
> On Thu, Sep 4, 2008 at 10:39 PM, James A. Donald <jamesd at echeque.com> wrote:
> > Ben Laurie wrote:
> >> I agree that the problem of making the security decisions is
> >> considerably harder than that of enforcing them.
> >
> > Hence the powerbox user interface model of piggybacking permission on
> > designation.
>
> This particular assertion is beginning to really bug me. Designation
> works fine for files, maybe, and for drag'n'drop, even more maybe (are
> you granting read? write? a communications channel? is it permanent or
> temporary? etc). But I've yet to see any evidence that it makes any
> sense at all in the context of, for example, sockets.
That's because sockets are not reified in current user interfaces.
That's not to suggest that they could not be, however, although it would
be unconventional. Of course doing so may increase the complexity of the
mental model that the user now must maintain in order to make safe
designations.
I think that experimenting with alternative desktop interfaces that
reify entities not currently well represented to the user in order to
try to make better inferences about security policy would be a useful
thing to explore. I would like to think that the powerbox "Open File"
dialog, drag and drop etc. only scratch the surface here and that we are
limited only by the strong familiarity of current desktop interfaces and
the metaphors in which they rest. This may be wishful thinking however.
Only experimentation can help answer, I reckon.
Cheers
Toby
More information about the cap-talk
mailing list