Security model for web documents
Draft 0
2006-01-02 / lth@opera.com


Element content.

Documents loaded from the public web into a web browser contain the
following types of active elements (where "active" means "does stuff
on its own"):

  - Scripts (typically javascript)
  - XSLT
  - SVG and animated images
  - Java applets
  - Plugin content (the plugins themselves are always 
    installed locally)

There are also passive elements:

  - HTML documents themselves
  - Frames inside framesets
  - Iframes
  - Static images
  - Style sheets (CSS)

The line between the two types is blurry; generally we can say that if
an element creates a computation that is guaranteed always to halt,
then it is passive.  This distinction ignores the meta-refresh tag,
for example.

The passive and active elements can in turn reference other entites;
for example a style sheet can reference another style sheet or an
image, and a script can use DOM3 Load to load an XML document from a
URL.


The domain model.

A security model known as the "domain model" exists to govern how
element content is loaded.  As the name suggests, this model is based
on the domain of the document, where a domain is a triple (protocol,
host name, port).  Content in one document may only "access" content
in another if their domains match according to some rule.  Every HTML
document 

The intuition behind the domain model is that documents should not be
allowed to inspect content that do not belong to them, and the easiest
way to implement that is to allow them to see only content that was
loaded from the same domain and that they therefore must be assumed to
have access to anyway.

The domain model breaks down in numerous ways.  Firstly, it does no
good for meta-hosts like geocities.com, which host multiple unrelated
sites under one domain.  geocities.com/mysite and
geocities.com/yoursite can access each other's content.  Secondly, it
prevents useful page content (scripts, images, styles) from one site
from being inlined into another site.  Thirdly, it prevents the
construction of client-side content aggregators, since DOM3 Load and
XmlHttpRequest are subject to domain security checks.



Inline elements.

Known model:

 - pages from domain x (x != FILE) cannot load pages from the FILE
   domain

