W3C home > Mailing lists > Public > www-tag@w3.org > January 2014

Re: Origin-scoped cache/cookie/storage context

From: Nasko Oskov <nasko@chromium.org>
Date: Fri, 10 Jan 2014 10:09:10 -0800
Message-ID: <CAA=myAvF2U4QHqQLg2d1o3YkiN3WCGL=VXc3MaQtpQSOM5bR6w@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, TAG <www-tag@w3.org>, Charlie Reis <creis@chromium.org>
On Fri, Jan 10, 2014 at 3:13 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Jan 10, 2014 at 9:20 AM, Mike West <mkwst@google.com> wrote:
> > I like the concept very much. I'm unclear as to the practical
> implementation
> > you're proposing. How do sites opt-in to this sort of treatment? How do
> you
> > determine when a site ought to get credentials and when it shouldn't?
>
> I would expect opt-in to be similar to HSTS. Once done, the browser
> will remember that the given origin wants to be partitioned. And only
> if that origin is navigated to is its associated context (such as
> cookies and cache) available.
>
> It's not entirely clear if in different contexts (when something else
> is navigated to) isolated origins should be given special treatment.
>
> This came out of a discussion we had about hosted apps and similar
> experiments and how they are different from the web you browse and
> whether we should make that into something you can opt into. (I hope
> this addresses Henri's question too.)
>

We have actually attempted implementing such isolation based on ideas in a
paper<http://www.charlesreis.com/research/publications/ccs-2011.pdf?attredirects=0>by
Charlie Reis, Adam Barth, et al. I've even used it and blogged about
how
to try this experimental feature at
http://netsekure.org/2012/03/30-days-with-isolated-apps-in-chrome/. The
underlying partitioning code is still mostly in the Chromium source, but
will likely disappear in the not so distant future, but feel free to try it
out and experiment with the UX.

Instead of using HSTS, we implemented this on the client side for the
purpose of testing it out. We decided not to ship this in its current
implementation, because of the confusing user experience in our
implementation. The example scenario that is confusing for the user is a
news site with social networking buttons, which when clicked lead to
authentication prompts, even though the user is already logged into the
social network.
Our decision was to try and achieve the same end result though different
means, due to how we implement and enforce partitioning. We are currently
working on the first piece needed to get us there.

If you are interested in glory details of why it didn't work as users
expect it, let me know and I'll be happy to explain.

Thanks,
Nasko
Received on Sunday, 12 January 2014 13:20:37 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:23 UTC