Re: Isolate-Me explainer from John Wilander on 2016-09-19 (public-webappsec@w3.org from September 2016)

From: John Wilander <wilander@apple.com>
Date: Mon, 19 Sep 2016 13:55:29 -0700
To: "Emily Stark (Dunn)" <estark@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, Joel Weinberger <jww@google.com>, Tanvi Vyas <tanvi@mozilla.com>
Message-id: <1B961B42-4932-4DA8-A3AF-94113E7A71CB@apple.com>

> On Sep 16, 2016, at 8:15 AM, Emily Stark (Dunn) <estark@google.com> wrote:
> 
> Hi webappsec! Mike, Joel, and I have been discussing an idea for a developer facing opt-in to allow highly security- or privacy-sensitive sites to be isolated from other origins on the web.
> 
> We wrote up the idea here to explain what we're thinking about, why we think it's important, and the major open questions: https://mikewest.github.io/isolation/explainer.html <https://mikewest.github.io/isolation/explainer.html>
> 
> Please read and comment/criticize/etc. Thoughts welcome, either here in this thread or as GitHub issues. Especially interested to hear from Mozilla folks as it relates to and is heavily inspired by containers.

Interesting! This is more or less what we proposed under the name single trust at the face-to-face. I have been asking Mike to bring into Secure Contexts v2. :)

We believe this would not only be good for site security but could also allow more powerful APIs which is why we thought Secure Contexts is a good fit. You could envision security sensitive features such as auto-fill/auto-login to only be available in single trust. Or the ability to talk to localhost as has been discussed here at length.

The reason we have discussed this as single trust is the academic research done in mixed trust. Browsers only show a green bar/padlock for the top frame domain where in reality there could be a hundred other organizations the user is implicitly trusting through sub resource and sub frame loads and redirects. Hence, mixed trust.

This naturally leads us to one of the other proposals we brought up at the face to face – associated domains. Under §4. Isolation Policy you bring up the fact that sensitive sites still might want to interact with or include third party content. But such content may not really be from a third party but from a different domain owned by the same organization – an associated domain. The host is simply a poor differentiator of first and third party. If we could come up with a safe way to declare ownership and/or control we could allow associated domains to cooperate while being isolated from the rest of the world.

   Regards, John

Received on Monday, 19 September 2016 20:56:00 UTC