COWL questions
Why are labeled blobs crucial for making COWL practical? (Can’t a context just raise its label to ensure that a receiving context is at least as sensitive before sending it data? Come up with a scenario where this wouldn’t work.)
Why does COWL not allow arbitrary JavaScript objects to be labeled and sent via
postMessage
? (I.e., why must objects be structurally clonable?)One can think of COWL as an adaptation of LIO for the browser. But, unlike for LIO, we cannot prove termination-sensitive non-interference (TSNI) for COWL. Recall what TSNI is and explain why we can’t prove this COWL.