This is an old revision of the document!
Note that phishing attacks are out of scope
* href attribute of links (<a>) * form submission (elements of the form)
* cross-site loading tags (in the DOM)
* XmlHttpRequest (XHR) * form.submit * postMessage
For storage channels data is not directly transmitted to an outside source, however any security labels need to be persisted along with the data or these need to be delayed channels.
* cookies * window.name * sessionStorage (html5 web storage) * localStorage (html5 web storage) * persistence mechanisms for flash (or other plugins)
We assume that each origin may be its own security principal. In addition we have a LOCAL_ONLY label for data that should never leave the client.
* passwords – allow sending to submission origin but only if not influenced by another principal. Perhaps also restrict output channels to form submission and XHR? * geolocation – LOCAL_ONLY, unless the user authorizes its release (this would allow us to possibly securely loosen the current restrictions on geolocation). * HTML elements/attributes marked as confidential by the website's developers.
Since XHR can be used to pull sensitive data from different pages we need to handle its results with some care. * By default SSL secured resources are treated as confidential to the origin. * By default other results from XHR are treated as public * Both of the above cases may be changed by the developer via HTTP headers
* analytics – do not need access to the DOM? * most advertisements – need only modify/select specific DOM elements * embedded maps, videos, etc. – generally only modify specific DIV/SPAN elements * target-word adds – need extensive access to the DOM (example can be seen at: http://www.tomshardware.com/reviews/core-i3-530-overclock-lga-1156,2626-4.html)