Re: A Somewhat Critical View of SOP (Same Origin Policy)

On Sat, Aug 29, 2015 at 10:21:12AM +0200, Anders Rundgren wrote:
> A core part of the Web Security model is based on SOP.
> However, the world (outside of the Web) isn't working according this model; it is rather ad-hoc.

Some of us believe that part of the reason the world isn't working
that way is that the SOP elevates the value of information you get
from a domain name in a URL.  We're trying to do something about it in
the IETF's DBOUND WG, and we could use some help.  In particular,
> This is where it (IMO) gets wrong.  If Super-Providers are trusted for mediating access to arbitrary domains, why couldn't [properly designed] applications also perform this task?

I believe that the problem is partly that it's hard for an operator of
a site to declare complicated policies about relationships with other
domains on the Internet.  I think that the efforts in DBOUND are at
least a step forward, but I worry that people think that a slightly
more capable maintenance regime for the PSL (public suffix list) will
be enough.  To me, the PSL is already inadequate and just trying to
make its maintenance easier is a waste of effort.

Best regards,


Andrew Sullivan

Received on Saturday, 29 August 2015 14:17:30 UTC