- From: Nasko Oskov <nasko@chromium.org>
- Date: Fri, 10 Jan 2014 10:09:10 -0800
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, TAG <www-tag@w3.org>, Charlie Reis <creis@chromium.org>
- Message-ID: <CAA=myAvF2U4QHqQLg2d1o3YkiN3WCGL=VXc3MaQtpQSOM5bR6w@mail.gmail.com>
On Fri, Jan 10, 2014 at 3:13 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Fri, Jan 10, 2014 at 9:20 AM, Mike West <mkwst@google.com> wrote: > > I like the concept very much. I'm unclear as to the practical > implementation > > you're proposing. How do sites opt-in to this sort of treatment? How do > you > > determine when a site ought to get credentials and when it shouldn't? > > I would expect opt-in to be similar to HSTS. Once done, the browser > will remember that the given origin wants to be partitioned. And only > if that origin is navigated to is its associated context (such as > cookies and cache) available. > > It's not entirely clear if in different contexts (when something else > is navigated to) isolated origins should be given special treatment. > > This came out of a discussion we had about hosted apps and similar > experiments and how they are different from the web you browse and > whether we should make that into something you can opt into. (I hope > this addresses Henri's question too.) > We have actually attempted implementing such isolation based on ideas in a paper<http://www.charlesreis.com/research/publications/ccs-2011.pdf?attredirects=0>by Charlie Reis, Adam Barth, et al. I've even used it and blogged about how to try this experimental feature at http://netsekure.org/2012/03/30-days-with-isolated-apps-in-chrome/. The underlying partitioning code is still mostly in the Chromium source, but will likely disappear in the not so distant future, but feel free to try it out and experiment with the UX. Instead of using HSTS, we implemented this on the client side for the purpose of testing it out. We decided not to ship this in its current implementation, because of the confusing user experience in our implementation. The example scenario that is confusing for the user is a news site with social networking buttons, which when clicked lead to authentication prompts, even though the user is already logged into the social network. Our decision was to try and achieve the same end result though different means, due to how we implement and enforce partitioning. We are currently working on the first piece needed to get us there. If you are interested in glory details of why it didn't work as users expect it, let me know and I'll be happy to explain. Thanks, Nasko
Received on Sunday, 12 January 2014 13:20:37 UTC