[Bug 27269] Normatively require distinctive identifiers to be different by top-level and EME-using origin from bugzilla@jessica.w3.org on 2014-12-12 (public-html-bugzilla@w3.org from December 2014)

From: <bugzilla@jessica.w3.org>
Date: Fri, 12 Dec 2014 13:05:08 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-27269-2486-VzMbrEf7xo@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=27269

--- Comment #5 from Henri Sivonen <hsivonen@hsivonen.fi> ---
(In reply to David Dorwin from comment #4)
> While using a combination of origins may address the concern, there are
> potential problems:
> 1. Other storage mechanisms (cookies, etc.) are not unique per combination.

Well, cookies are so broken that they aren't even clamped to an origin! Still,
the Web Platform has been able to introduce other things that have origin-based
security.

>  * Introducing this new type of separation for this single purpose may be
> problematic.

Chances are that it's a bug that this kind of separation isn't being used for
other things, too. Quoting Mike Perry from
https://groups.google.com/d/msg/mozilla.dev.privacy/3jA9zt1pXVo/tD0buhEMfMEJ :
> For the record, in Tor Browser we are also trying to demonstrate that it
> is possible to provide the same third party tracking protections as "Do
> Not Track" through technology, rather than policy.
>
> In other words, we have jailed/double-keyed/disabled third party
> cookies, cache, DOM storage, HTTP Auth, and TLS Session state to the URL
> bar domain, to eliminate third party tracking across different url bar
> sites.

(Back to quoting David Dorwin:)
> For example:
>   i. Communicating this to the user could be difficult.

My recollection is that I've even seen a UI design *for Chrome* for a scoped
permission (for geolocation) like this in a paper co-authored by Adrienne
Porter Felt, but now I can't find such a paper.

>   ii. User agent implementations may not support storage by such
> combinations.

Well, a priori, UAs don't support CDM interfaces, either. Code needs to be
written to support new things.

> 2. All CDM storage must be similarly separated.
>  * This is more complex than just salting an identifier.
>  * See also #1.
>  * See also #incomplete-clearing in the spec.

You store a salt per top-level + EME-calling origin pair. Then you give a CDM
storage partition for each salt.

> 3. Appearing as a different user/device to the EME-using origin may have
> undesirable results for the user.

Do you have examples?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Friday, 12 December 2014 13:05:17 UTC