[cap-talk] Webkeys vs. the web
Karp, Alan H
alan.karp at hp.com
Tue Mar 31 20:09:12 EDT 2009
David-Sarah Hopwood wrote:
> However, you can't give the *content* of the page to a subject that should
> only have the attenuated authority. This is a useful thing to allow; also
> note that the page content can potentially leak via an XSS attack or any
> other browser exploit that can transmit content on the current page to an
The idea is that the dynamic part of the page doesn't contain any actual links. Clicking what appears to be a link invokes a script that uses the traversed path information to decide what page to show next.
> In any case, why is this necessary, given that the browser's Back button
> and History window provide the same functionality? It seems like a lot
> of complexity just to duplicate functionality that is already available
> via those browser features (in a way that doesn't cause any problem in
> giving the page content to another subject).
Recall Chip's challenge. He wanted to put a "take me Home", e.g., to my powerbox page, link on a page having reduced authority. In my proposal, that would go in the dynamic part.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
More information about the cap-talk