Re: A Somewhat Critical View of SOP (Same Origin Policy)

On Sun, Aug 30, 2015 at 06:46:21AM +0200, Anders Rundgren wrote:
> I think I understand what you are trying to accomplish.
> DBOUND is about resource sharing between related domains, right?
> That's cool but I'm working in other end of the spectrum where Unrelated, Competing,
> and Independent domains are requesting users for resources like money.

Well, this depends on what you mean by "related".

The current discussion got whittled down to just directly-related
domains, because that seemed to be the only thing anyone cared about.

But IMO, if uses payment processor,
then there's a relationship between them.  The point of putting the
information online in some way (and in particular, in putting the data
up in a bilateral way so that a user could check both sides to see
whether they agree) is to allow users to make practical decisions (or
more accurately, allow user agents to make such decisions
automatically, since most users are not going to be able to make such
decisions reasonably).  There ought to be a way for to
publish, "I use," and for
to say, "I confirm that is using us."  In the presence of
that information, it's possible to proceed with greater assurance that
there's no attack going on and without having a magic but small list
of (as you call them) Super-Providers.

At least, that's why I think these cases turn out to be the same problem.

Best regards,


Andrew Sullivan

Received on Sunday, 30 August 2015 16:07:13 UTC