[cryptography] How to safely produce web pages from multiple sources?

James A. Donald jamesd at echeque.com
Wed Aug 29 04:31:41 EDT 2012


On Wed, Aug 29, 2012 at 2:33 AM, James A. Donald <jamesd at echeque.com> wrote:
 >> Suppose your web page incorporates some content from
 >> another url, a not altogether trusted url.  Let us call
 >> this other url Malloc.  You, the owner of the website and
 >> the author of the main part of the web page are Bob, the
 >> browser is being viewed by Carol, and you incorporate
 >> content from Malloc that you hope is innocent, but may not
 >> be.
 >>
 >> How does Bob make sure his web page cannot have its
 >> secrets leaked, nor can the content that Bob intends to
 >> control be controlled by Malloc, so that Malloc cannot
 >> man-in-the-middle, cannot spy on, nor change, the
 >> conversation between Bob and Carol, cannot lead Carol to
 >> think Bob said something different from that which he
 >> intended to say, nor lead Bob to think that Carol clicked
 >> on something other than that which she clicked on?

On 2012-08-29 1:13 PM, Ben Laurie wrote:
 > Caja: http://code.google.com/p/google-caja/.

So Bob's server gets a page from Malloc's server, vanillizes it using 
Caja, and serves Carol with Bob's content combined with vanilla Malloc 
content.

Or does Bob's web page running on Carol's machine download a page from 
Malloc's server, and caja-ize Malloc's page on Carol's machine before 
permitting it to run on Carol's machine inside the context controlled by 
Bob.



More information about the cryptography mailing list