Re: [Open Issue] Privacy concern with Navigation Timing from Zhiheng Wang on 2010-10-22 (public-web-perf@w3.org from October 2010)

From: Zhiheng Wang <zhihengw@google.com>
Date: Fri, 22 Oct 2010 00:59:07 -0700
To: Sigbjørn Vik <sigbjorn@opera.com>
Cc: public-web-perf@w3.org
Message-ID: <AANLkTinB3j+gxxTx8L3z1UpW3nvTQfrU8P3mfvwsNt47@mail.gmail.com>

On Fri, Oct 22, 2010 at 12:29 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote:

> On Thu, 21 Oct 2010 19:00:56 +0200, Zhiheng Wang <zhihengw@google.com>
> wrote:
>
>  On Thu, Oct 21, 2010 at 7:46 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote:
>>
>>  I see the following note:
>>> "Note: The relaxed same orgin policy doesn't provide sufficient
>>> protection
>>> against unauthorized visits accross documents. In shared hosting, an
>>> untrusted third party is able to host an HTTP server at the same IP
>>> address
>>> but on a different port."
>>> I must have missed this discussion, this is similar to the mail just sent
>>> about cookie domains (here called relaxed same origin). I am not quite
>>> sure
>>> I understand what "unauthorized visits accross documents" means?
>>>
>>>
>>    ah, right, I missed this in the discussion yesterday. cookie domain
>> doesn't work in cases like shared hosting, e.g., I have my web site on
>> my.hosting.com and
>> yours on yours.hotsting.com. We probably don't want to share information
>> between them.
>>
>
> Right, this is a potential problem. However, these domains already share
> cookies, and such domains are rarely used for sensitive data[1]. Timing
> information is not direct information either, only indirect, which at most
> indicates if a user is logged in or not.
>
> My thought is that using a cookie domain will be of great benefit to
> developers, and that it has little real-life negative impact on websites. Do
> you foresee any practical problems doing this?
>
> [1] Maybe with the exception of people putting their personal documents
> online to be available for themselves, but such use cases are unlikely to be
> tricked by spoofing.
>
>
   Different sub-domain is only part of the story.
Origin<http://www.w3.org/TR/html5/origin-0.html> refers
to (schem, host, port), so different ports and schemes could be potential
risk as well.
It's a good point that they are sharing the same cookie already, so the
additional negative impact by relaxing the SOP is at most incremental.

   I actually have a bit more thought after the previous email... The SOP
doesn't seem to guarantee absolute safety either, e.g., some web services
are already hosting UGC on the same domain but a user-specific path like
some.domain.com/mystuff. Arguably though, some.domain.com *should*
cover any potential security issues.

   Don't make me wrong. Cookie domain is also my favorite and I tend to
agree that its benefit is greater than other concerns. :-) I just feel like
bringing
up the point for discussion. And if we all agree on using the cookie domain,
we will go with it.

thanks,
Zhiheng



>
> --
> Sigbjørn Vik
> Quality Assurance
> Opera Software
>
>

Received on Friday, 22 October 2010 07:59:46 UTC