Re: WebAppSec re-charter status

On Wed, Feb 11, 2015 at 11:09 PM, David Ross <drx@google.com> wrote:
> That being said, I think the criticism is a bit unfair.  EPR is an opt-in
> feature with an intended audience largely separate from those who might wish
> to prevent deep linking on their web sites.

Why does the intended audience of the feature matter? What matters is
what it does and how it can be used, no?


> I don't see any reason to
> believe that we will see excessive and inconsiderate application of EPR
> leading to linkability issues on the web at large.  If a publisher is
> determined to prevent deep linking there are plenty of ways for them to do
> that today, whether they choose to make use of the web platform or not.
> IMO, quashing proposed platform functionality such as EPR constrains
> consumers of the web platform and serves to limit the attractiveness of the
> platform as a whole.

We just want to be cautious.


> EPR helps enable the web platform to support scenarios with very stringent
> security requirements.  For example, XSS or XSRF is an unacceptable failure
> mode for sensitive applications.  (Eg: Administrative consoles)  Authors of
> these sensitive applications sometimes favor implementation as a legacy
> platform app, a mobile app, or even a command line app over the web app
> platform simply because of this security consideration.  I believe it's
> important to provide the _option_ for developers to implement EPR to better
> meet their security requirements.

There are other ways we could limit some of these too I think. E.g. by
introducing first-party and/or same-origin cookies.


-- 
https://annevankesteren.nl/

Received on Thursday, 12 February 2015 07:42:47 UTC