The web interface should be radically refactored

The Web API conflates two conflicting goals: serving developers by supporting a wide and growing suite of functionality, and providing applications with an isolated execution environment. We propose to split the API into two levels of interface: a low-level interface that governs the relationship between the application and the browser, and a set of high-level interfaces that govern the relationship between the application and its developer. We delineate a tiny set of properties needed by the low-level interface. We argue that this restructuring provides significant benefit to both developers and users.

[1]  Helen J. Wang,et al.  A Systematic Approach to Uncover Security Flaws in GUI Logic , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[2]  Christian S. Collberg,et al.  SLINKY: Static Linking Reloaded , 2005, USENIX Annual Technical Conference, General Track.

[3]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[4]  Yi-Min Wang,et al.  An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism , 2007, CCS '07.

[5]  Alexey Melnikov,et al.  The WebSocket Protocol , 2011, RFC.

[6]  Samuel T. King,et al.  Trust and Protection in the Illinois Browser Operating System , 2010, OSDI.

[7]  Chun-Kun,et al.  Lecture Note Sel4: Formal Verification of an Os Kernel , 2022 .

[8]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[9]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[10]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[11]  Donald E. Porter,et al.  Rethinking the library OS from the top down , 2011, ASPLOS XVI.

[12]  Norman Feske,et al.  A Nitpicker’s guide to a minimal-complexity secure GUI , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[13]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[14]  James W. Mickens,et al.  Atlantis: robust, extensible execution environments for web applications , 2011, SOSP '11.

[15]  Jon Howell,et al.  Leveraging Legacy Code to Deploy Desktop Applications on the Web , 2008, OSDI.

[16]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[17]  Jochen Liedtke,et al.  Toward real microkernels , 1996, CACM.

[18]  Ka-Ping Yee,et al.  Aligning Security and Usability , 2004, IEEE Secur. Priv..

[19]  Zachary Weinberg,et al.  I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks , 2011, 2011 IEEE Symposium on Security and Privacy.

[20]  Jonathan S. Shapiro,et al.  Design of the EROS Trusted Window System , 2004, USENIX Security Symposium.

[21]  Benjamin Livshits,et al.  AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications , 2007, TWEB.

[22]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..