Ken Manheimer wrote:
Shane Hathaway <shane@zope.com> wrote:
This hasn't been fixed because it's not well understood. Javascript can POST an invisible form, AFAIK. The problem occurs on the browsers of users who are *already authenticated*. It has nothing to do with Zope or any server software, really.
I recently saw a _very_ interesting description of how capability-based distributed computing (and the Principle of Least Authority) is used to address vulnerabilities to client side trojans, viruses, etc. I think the approach may apply to the web situation.
"Capabilities" are a signficant, fairly established idea in the realm of distributed operating systems, but are not very familiar more generally. This description is by far the most approachable i've seen (and perhaps, the first i've understood:) - i highly recommend looking it over. It's in a substantial overview of the very nifty looking scripting language, E, which is specifically designed to provide secure, reliable, manageable distributed computing scripting. The relevant bits are at:
Very interesting. Thanks for the link. I read Marc's whole description of capability-based security: http://www.skyhunter.com/marcs/capabilityIntro/ It makes a lot of sense. In situations where it is possible, I am inclined to agree that capabilities are the most secure approach to writing software. I don't know how to apply capability-based security to the trojan problem, but I'm thinking about how it could be integrated into Zope. Perhaps there could be objects that declare themselves to be "capabilities"; that is, any object that can reach them is allowed to call any method of them. Shane