Re: A Somewhat Critical View of SOP (Same Origin Policy)

On 2015-09-28 21:27, Tony Arcieri wrote:
> On Monday, September 28, 2015, Alex Russell <slightlyoff@google.com <mailto:slightlyoff@google.com>> wrote:
>
>     Extension APIs are, by definition, outside SOP; not only do they break SOP they exist primarily to subvert it (e.g., content scripts).
>
>     This is basic stuff. It's hard to have a conversation about such a complicated area without shared understanding of the basics.
>
>
> I really have to agree. This whole wiki page has so many problems it's effectively a gish gallop*, preventing meaningful conversation because no one could possibly respond to all of the problems.

Thanx :-(
I don't see why a proper implementation of Native Messaging couldn't together with an equally properly written native extension indeed support SOP.  I never said this is what the world wants, I only pointed out this as a possibility.  U2F could for example have been supported this way.

https://github.com/cyberphone/web2native-bridge#api

>
> In an area where there is not only rough consensus and running code, but precise definitions, specifications, and a common nomenclature, this document does a lot of redefining of terms (most notably SOP itself), that is when it's not making slippery slope arguments around the security guarantees SOP can provide and suggesting we give up because SOP is not the universal panacea for all problems.
>
> I can cite some specific examples for the curious, but I'm not going to run the gish gallop.
>
> My only real request for this Wiki page is it be given a more appropriate name, like "Criticisms of the Same-Origin Policy" (which this document confusingly and repeatedly calls "Single-Origin Policy", itself a testiment to the overall degree of misunderstanding happening here)
>
> [1]: http://rationalwiki.org/wiki/Gish_Gallop
>
>
> -- 
> Tony Arcieri
>

Received on Monday, 28 September 2015 19:49:00 UTC