-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
context: reply to comments in the article "CSS is unnecessary given a layout language with means of abstraction and combination" (by Paul Chiusano on July 2, 2014) (http://pchiusano.github.io/2014-07-02/css-is-unnecessary.html) on Paul Chiusano's blog (http://pchiusano.github.io)
The article is talking about "POLP". POLA is completely different. The article he linked to seems to be concerned about the language being declarative so it can be searched / traversed etc. Concrete example: <div id="content">blah blah</div> versus some page with no content that gets filled in by JS at runtime. I'm not sure whether/how that applies to Elm as I haven't looked at it yet.
"and rediscovered in bastardized form by the creators of the web" Really? I've never heard of any part of the web which is remotely related to capability security. Care to share? Indeed, phishing and CSRF are caused by ambient authority. As far as I'm aware, nobody in the web development community is even aware of the confused deputy problem. Aside from stuff like waterken, Caja, etc.
"while having a well-thought out security model to prevent the possibility of XSS and related attacks." There's no thinking required here. Injection attacks are trivial to solve - construct the abstract syntax directly and not by strings.
Unsound: "<b>"+s+"</b>"
Sound: b("bold text")
Where b will escape "bold text" if necessary. The only hard case I know of is when defining the constructor for an anchor. It would be used something like this:
a("click here", href="http://google.com/blah")
The problem is that when rendering a user submitted homepage link:
a("user's homepage", href=user_homepage)
href could be "javascript:malicious code". This can be solved by changing a to work like this:
a("click here", href=http("google.com/blah"))
Which would prepend "http://", and thus rule out "javascript:" being at the start of the href.
And if the developer actually wanted to make a link to js, he would do:
a("click here", href=javascript("alert('hi')"))
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlO1k30ACgkQ3PGpByoQpZGwjwCfZW7B64FyFXh5lumqpQPjmpMZ
D+0An3XPTKncTrhLvrir3K+P4nyE0m2k
=eaPM
-----END PGP SIGNATURE-----
Hash: SHA1
context: reply to comments in the article "CSS is unnecessary given a layout language with means of abstraction and combination" (by Paul Chiusano on July 2, 2014) (http://pchiusano.github.io/2014-07-02/css-is-unnecessary.html) on Paul Chiusano's blog (http://pchiusano.github.io)
The article is talking about "POLP". POLA is completely different. The article he linked to seems to be concerned about the language being declarative so it can be searched / traversed etc. Concrete example: <div id="content">blah blah</div> versus some page with no content that gets filled in by JS at runtime. I'm not sure whether/how that applies to Elm as I haven't looked at it yet.
"and rediscovered in bastardized form by the creators of the web" Really? I've never heard of any part of the web which is remotely related to capability security. Care to share? Indeed, phishing and CSRF are caused by ambient authority. As far as I'm aware, nobody in the web development community is even aware of the confused deputy problem. Aside from stuff like waterken, Caja, etc.
"while having a well-thought out security model to prevent the possibility of XSS and related attacks." There's no thinking required here. Injection attacks are trivial to solve - construct the abstract syntax directly and not by strings.
Unsound: "<b>"+s+"</b>"
Sound: b("bold text")
Where b will escape "bold text" if necessary. The only hard case I know of is when defining the constructor for an anchor. It would be used something like this:
a("click here", href="http://google.com/blah")
The problem is that when rendering a user submitted homepage link:
a("user's homepage", href=user_homepage)
href could be "javascript:malicious code". This can be solved by changing a to work like this:
a("click here", href=http("google.com/blah"))
Which would prepend "http://", and thus rule out "javascript:" being at the start of the href.
And if the developer actually wanted to make a link to js, he would do:
a("click here", href=javascript("alert('hi')"))
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlO1k30ACgkQ3PGpByoQpZGwjwCfZW7B64FyFXh5lumqpQPjmpMZ
D+0An3XPTKncTrhLvrir3K+P4nyE0m2k
=eaPM
-----END PGP SIGNATURE-----
