This is an old revision of the document!
Note that phishing attacks are out of scope
Confidential information should not influence any of these fields, unless they come from the same origin as the confidential data. (But note that exfiltration attacks can make this unsafe as well, unless there are some safeguards taken).
For storage channels data is not directly transmitted to an outside source. However, any security labels need to be persisted along with the data or these need to be treated like delayed channels.
We assume that each origin may be its own security principal. In addition we have a LOCAL_ONLY label for data that should never leave the client.
Since XHR can be used to pull sensitive data from different pages we need to handle its results with some care.
In this section we discuss a possible approach to limit a scripts access to the DOM.
Exfiltration attacks present a significant threat to confidentiality for information flow analysis. In short, exfiltration attacks involve sending confidential information back to its origin, but to another account. (For example, an attacker might send someone else's confidential information from Facebook back to his own Facebook account).
In order to defend against these attacks, we will need to add a notion of integrity. Confidential data can only be sent back to its origin if the decision to do so was not influenced by any other principal. (This solution is one proposed for safe declassification).
We note that cross-site loading tags might not require this restriction, since it does not seem likely that an attacker can learn information by loading data from someone else's servers.