"I believe that concerns like this are why Apple will introduce the
"content blocking" extensions in iOS 9 and OS X 10.11. They enable the
most popular types of extension (ad blocking and privacy protection)
without letting extension code run in your browser."
Fully agree. We actually described exactly that mechanism in an early
version of our paper (declarative APIs), but didn't have enough space
to do it for the final version.
"While the tainted data approach sounds interesting, I don't think there's an easy way to guarantee the safeness of arbitrary code executed on your machine. It's possible to sandbox code, but as soon as you allow any communication at all, there's no automated way to prevent data theft."
It turns out, it is possible with information flow control (IFC). The
simple idea behind IFC is to protect data by labeling/tagging it and
restricting code according to the kinds of labeled data it reads. Once
code in an execution context (e.g., iframe or process) reads some
labeled data, IFC restricts where it can further communicate. In the
simplest form: once you read data that is SECRET, you can't write to
any PUBLIC communication channel. (You can, of course, write to a
SECRET channel.)
Fully agree. We actually described exactly that mechanism in an early version of our paper (declarative APIs), but didn't have enough space to do it for the final version.
"While the tainted data approach sounds interesting, I don't think there's an easy way to guarantee the safeness of arbitrary code executed on your machine. It's possible to sandbox code, but as soon as you allow any communication at all, there's no automated way to prevent data theft."
It turns out, it is possible with information flow control (IFC). The simple idea behind IFC is to protect data by labeling/tagging it and restricting code according to the kinds of labeled data it reads. Once code in an execution context (e.g., iframe or process) reads some labeled data, IFC restricts where it can further communicate. In the simplest form: once you read data that is SECRET, you can't write to any PUBLIC communication channel. (You can, of course, write to a SECRET channel.)