A Unified Security Model for Web Applications

Rick Cox

The web browser has become a complete operating system, providing a deployment platform for a huge number of web applications that vary greatly in trustworthiness. In this role, it is the web browser that must isolate these applications from one another. Unlike traditional time-sharing systems, however, which have a clear principle --- the user --- to apply security policies to, web applications are loosely defined as a collection of interacting servers. This makes it very difficult for the browser to completely isolate the application.

In this talk, I'll introduce our mechanism that allows web developers to securely define the boundaries of their applications.