Why are labeled blobs crucial for making COWL practical? (Can’t a context just raise its label to ensure that a receiving context is at least as sensitive before sending it data? Come up with a scenario where this wouldn’t work.)
postMessage? (I.e., why must objects be structurally clonable?)
One can think of COWL as an adaptation of LIO for the browser. But, unlike for LIO, we cannot prove termination-sensitive non-interference (TSNI) for COWL. Recall what TSNI is and explain why we can’t prove this COWL.