Presentation: "Secure Distributed Programming on EcmaScript 5 + HTML5 platforms"
Track:
HTML5, the Platform
Time: Friday 15:35 - 16:35
Location: Westminster Suite, Fourth Floor
Abstract:
Download slides
Programming for the browser platform is hell. After the DOM API, the worst part of that hell is the browser security architecture, centered on the same origin policy. Until recently, there was no practical way to avoid its complexities on standard browsers. We show how to use EcmaScript 5 to restrict loaded code to object-capability rules within a frame, enabling secure mashups. We show how to use HTML5's support for cross-origin messaging to support safe origin-independent messaging. Composed together, these form a simple, coherent, expressive, object-oriented security architecture, able to run on almost any browser fully conformant with these new standards. Although we are still also constrained by the same origin policy, we can largely escape from its confusions and complexities, expressing security by saner means.