Summit 2011 Working Sessions/Session001

{{Template: {{{1}}} Summit 2011 Working Sessions test tab


 * summit_session_attendee_name1 = Email John Wilander if you are unable to edit the Wiki and would like to sign up!
 * summit_session_attendee_email1 = john.wilander@owasp.org
 * summit_session_attendee_username1 =
 * summit_session_attendee_company1=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=


 * summit_session_attendee_name2 = Michael Coates
 * summit_session_attendee_email2 =
 * summit_session_attendee_username2 =
 * summit_session_attendee_company2=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=


 * summit_session_attendee_name3 =
 * summit_session_attendee_email3 =
 * summit_session_attendee_username3 =
 * summit_session_attendee_company3=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=


 * summit_session_attendee_name4 = Stefano Di Paola
 * summit_session_attendee_email4 =
 * summit_session_attendee_username4 =
 * summit_session_attendee_company4=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=


 * summit_session_attendee_name5 = Isaac Dawson
 * summit_session_attendee_email5 =
 * summit_session_attendee_username5 =
 * summit_session_attendee_company5= Veracode
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=


 * summit_session_attendee_name6 = Chris Eng
 * summit_session_attendee_email6 = ceng@veracode.com
 * summit_session_attendee_username6 =
 * summit_session_attendee_company6= Veracode
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=


 * summit_session_attendee_name7 =
 * summit_session_attendee_email7 =
 * summit_session_attendee_username7 =
 * summit_session_attendee_company7=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=


 * summit_session_attendee_name8 =
 * summit_session_attendee_email8 =
 * summit_session_attendee_username8 =
 * summit_session_attendee_company8=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=


 * summit_session_attendee_name9 =
 * summit_session_attendee_email9 =
 * summit_session_attendee_username9 =
 * summit_session_attendee_company9=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=


 * summit_session_attendee_name10 =
 * summit_session_attendee_email10 =
 * summit_session_attendee_username10 =
 * summit_session_attendee_company10=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=


 * summit_session_attendee_name11 =
 * summit_session_attendee_email11 =
 * summit_session_attendee_username11 =
 * summit_session_attendee_company11=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=


 * summit_session_attendee_name12 =
 * summit_session_attendee_email12 =
 * summit_session_attendee_username12 =
 * summit_session_attendee_company12=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=


 * summit_session_attendee_name13 =
 * summit_session_attendee_email13 =
 * summit_session_attendee_username13 =
 * summit_session_attendee_company13=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=


 * summit_session_attendee_name14 =
 * summit_session_attendee_email14 =
 * summit_session_attendee_username14 =
 * summit_session_attendee_company14=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=


 * summit_session_attendee_name15 =
 * summit_session_attendee_email15 =
 * summit_session_attendee_username15 =
 * summit_session_attendee_company15=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=


 * summit_session_attendee_name16 =
 * summit_session_attendee_email16 =
 * summit_session_attendee_username16 =
 * summit_session_attendee_company16=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=


 * summit_session_attendee_name17 =
 * summit_session_attendee_email17 =
 * summit_session_attendee_username17 =
 * summit_session_attendee_company17=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=


 * summit_session_attendee_name18 =
 * summit_session_attendee_email18 =
 * summit_session_attendee_username18 =
 * summit_session_attendee_company18=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=


 * summit_session_attendee_name19 =
 * summit_session_attendee_email19 =
 * summit_session_attendee_username19 =
 * summit_session_attendee_company19=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=


 * summit_session_attendee_name20 =
 * summit_session_attendee_email20 =
 * summit_session_attendee_username20 =
 * summit_session_attendee_company20=
 * summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=


 * summit_track_logo = [[Image:T._browser_security.jpg]]
 * summit_ws_logo = [[Image:WS._browser_security.jpg]]
 * summit_session_name = DOM Sandboxing
 * summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session001
 * mailing_list = https://groups.google.com/group/owasp-summit-browsersec
 * mailing_list = https://groups.google.com/group/owasp-summit-browsersec


 * short_working_session_description= Virtualization and Sandboxing for Secure Multi-Domain Web Apps


 * related_project_name1 = Browser Security Track - main page
 * related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track


 * related_project_name2 = Google Group for the Browser Security Track
 * related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec


 * related_project_name3 =
 * related_project_url_3 =


 * related_project_name4 =
 * related_project_url_4 =


 * related_project_name5 =
 * related_project_url_5 =




 * summit_session_objective_name1= Attenuated versions of existing apis to sandboxed code. How should browsers introduce new apis into the sandbox or allow the sandbox to provide attenuated versions of existing apis to sandboxed code? For example, lets say the sandbox wants to provide an attenuated "alert" function to sandboxed code which does something slightly different than the real "alert". What kind of apis could the browser provide to safely allow such extensions/apis? Do these need to be standardized such that different sandbox vendors can interoperate.


 * summit_session_objective_name2 = Client side sandboxed apps maintaining state and authentication. For example if a user is created in a sandboxed app how is it determined what that user can do?


 * summit_session_objective_name3 = Create a standard for modifying a sandboxed environment


 * summit_session_objective_name4 = Deprecate and discourage standards which ambiently or undeniably pass credentials.


 * summit_session_objective_name5 =  Create a standard for authentication within a sandboxed environment (maybe interfacing with existing auth without passing creds like 0Auth works)




 * working_session_date_and_time = Tuesday, 09 February Time: TBA




 * discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.




 * operational_resources = Projector, whiteboards, markers, Internet connectivity, power




 * working_session_additional_details =

Co-chair Dr Jasvir Nagra
Jasvir Nagra is a researcher and software engineer at Google. He is the designer of Caja - a secure subset of HTML, CSS and JavaScript; co-author of Surreptitious Software - a book on obfuscation, software watermarking and tamper-proofing, contributer to Shindig - the reference implementation of OpenSocial.

Co-chair Gareth Heyes
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind JSReg – a Javascript sandbox which converts code using regular expressions; HTMLReg & CSSReg – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' – a book on how an attacker would bypass different types of security controls including IDS/IPS.




 * summit_session_deliverable_name1 = Browser Security Report


 * summit_session_deliverable_name2 = Browser Security Priority List


 * summit_session_deliverable_name3 =


 * summit_session_deliverable_name4 =


 * summit_session_deliverable_name5 =


 * summit_session_deliverable_name6 =


 * summit_session_deliverable_name7 =


 * summit_session_deliverable_name8 =




 * summit_session_leader_name1 = Dr. Jasvir Nagra
 * summit_session_leader_email1 =
 * summit_session_leader_username1 =


 * summit_session_leader_name2 = Gareth Heyes
 * summit_session_leader_email2 = gazheyes@gmail.com
 * summit_session_leader_username2 = Gareth Heyes


 * summit_session_leader_name3 =
 * summit_session_leader_email3 =
 * summit_session_leader_username3 =




 * operational_leader_name1 = John Wilander
 * operational_leader_email1 = john.wilander@owasp.org

}}
 * meeting_notes =
 * session_name_mask = Session001
 * session_home_page = Summit_2011_Working_Sessions/Session001
 * session_name_mask = Session001
 * session_home_page = Summit_2011_Working_Sessions/Session001