W3C home > Mailing lists > Public > public-web-security@w3.org > October 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 1 Oct 2015 22:19:29 +0200
To: "henry.story@bblfish.net" <henry.story@bblfish.net>
Cc: Alex Russell <slightlyoff@google.com>, Tony Arcieri <bascule@gmail.com>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <560D9551.1000405@gmail.com>
On 2015-10-01 22:02, henry.story@bblfish.net wrote:
>
>> On 1 Oct 2015, at 19:40, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>
>> Since Microsoft and Mozilla have decided to implement Chrome extensions
>> including Native Messaging this topic has effectively left the W3C
>> so we can safely put it to rest.  Problem solved :-)
>
> Whether it is specified in the W3C or not is not really relevant,
> since other features like TLS, FIDO, OpendID or OAuth are also specified
> outside of the W3C but are part of the debate.

In this case we are talking about a crude work-around that appears
to become a de-facto standard.  A very important one as well.

>
> I don't know much about Native Messaging, but following the link
> from the wiki [1] I arrived at the API spec, where I see that there
> are some restrictions as to what domains the extension can work with.
>
> https://developer.chrome.com/extensions/messaging#external-webpage
>
> The extension has to specify in its Manifest from which domains it wishes
> to receive messages. The example given is:
>
> "externally_connectable": {
> "matches": ["*://*.example.com/*"]
> }
>
> So clearly this allows cross origins use of the extension, which can presumably
> keep data in the external application and then use that to communicate with the
> other sites specified in the manifest.
>
> Where in the case of FIDO we have the web site limiting the use of key within
> some limits imposed on it, here we have the extension limiting which sites can
> use it.
>
> This would actually be much more interesting if one could devise a method by
> which extensions could securely and without name clashes work with any site.
> Here it seems a bit half way in both directions.
>
> As I said I am new to this space, so I am happy to be corrected here.
>
> Henry
>
> [1] https://blog.chromium.org/2013/10/connecting-chrome-apps-and-extensions.html
>
>
> Henry
>
Received on Thursday, 1 October 2015 20:20:00 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 20:20:00 UTC