Re: A Somewhat Critical View of SOP (Same Origin Policy) from Rigo Wenning on 2015-09-15 (public-webappsec@w3.org from September 2015)

From: Rigo Wenning <rigo@w3.org>
Date: Tue, 15 Sep 2015 21:53:21 +0200
To: public-web-security@w3.org
Cc: Tony Arcieri <bascule@gmail.com>, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
Message-ID: <6903931.Grf0Da5LQW@hegel>

On Monday 14 September 2015 8:43:20 Tony Arcieri wrote:
> > Coming on with the SOP as a drop dead argument against hardware security
> 
> SOP doesn't work with PKCS#11-style APIs. FIDO shows what's possible with
> hardware tokens that respect the SOP, though.

Obviously, because they all define their own scope. If you set one scope 
absolute (e.g. SOP), the other doesn't fit. This isn't exactly magic. The 
profound mistake is to believe that SOP is the only security on the web. I can 
well imagine privacy+identity-management+security of transactions instead of 
origins. This reduces greatly my trust exposure. It is just a totally 
different way. And of course it can't apply globalalliance 1/1 as I imagine 
the definition of scope is not compatible, right. But SOP is also the wrong 
knife to cut that bread. Because the security here is not defined by the SOP, 
but by your identity provider that crosses some origins. Otherwise it wouldn't 
work. 

 --Rigo

Received on Tuesday, 15 September 2015 19:53:44 UTC