Re: [minutes] 20101110 Web Performance Working Group from Sigbjørn Vik on 2010-11-12 (public-web-perf@w3.org from November 2010)

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Fri, 12 Nov 2010 10:08:36 +0100
To: public-web-perf@w3.org
Message-ID: <op.vl1vomjf41y844@id-c0735.oslo.opera.com>

On Thu, 11 Nov 2010 20:04:26 +0100, James Simonsen <simonjam@chromium.org>  
wrote:

> How hosting services deal with these potential subdomain attacks is  
> beyond
> the scope of Navigation Timing. I'm sure all of the hosting services have
> security teams dedicated to addressing these issues.
>
> It's clear that many hosting sites, like the blog hosting and app hosting
> sites, use subdomains to indicate different owners.

It is also clear that many hosting sites, like my.opera and facebook (both  
high profile sites), use paths to indicate different owners. Substitute  
"subdomain" with "path" in your argument, and the conclusion that follows  
is that we cannot expose navigation timing when navigating across paths on  
the same domain. That conclusion doesn't make any sense, which shows the  
argument should not be trusted.

> That means that when we
> cross subdomains, we can't assume that the two pages have the same owner.
>
> The unload information is only relevant to the previous page. Likewise,
> redirect timing is really only relevant to the site that caused the
> redirect. It's only because of implementation difficulty that we're
> including that information in the destination page's timing. If we can't  
> be
> confident that the information is getting back to the previous page's  
> owner,
> we shouldn't expose it.

Anything we expose might end up in the wrong hands, whether it is across  
subdomains, paths, or resources. My point is that we need to take a  
pragmatic approach. If we want to take the approach of guaranteed  
theoretical security, the only conclusion possible is that we need to drop  
redirection and unload information entirely.

I take it you are supporting sharing this information across paths on the  
same domain, thus that you are taking a pragmatic approach. I suggest we  
stick with a single approach all the way through, thus evaluating the  
possible impact our decisions have. I maintain that the possible impact,  
both on cross-path and cross-subdomain sharing is very small, though  
existant for both of them. Do you want 0 risk, or a risk balanced against  
the use cases?

If the latter, I'd like to understand why you think the line in the sand  
should be drawn exactly between path and subdomain, rather than between  
subdomain and domain.

-- 
Sigbjørn Vik
Quality Assurance
Opera Software

Received on Friday, 12 November 2010 09:09:06 UTC