Re: A Somewhat Critical View of SOP (Same Origin Policy)

> On 1 Oct 2015, at 19:40, Anders Rundgren <> wrote:
> Since Microsoft and Mozilla have decided to implement Chrome extensions
> including Native Messaging this topic has effectively left the W3C
> so we can safely put it to rest.  Problem solved :-)

Whether it is specified in the W3C or not is not really relevant,
since other features like TLS, FIDO, OpendID or OAuth are also specified 
outside of the W3C but are part of the debate.

I don't know much about Native Messaging, but following the link 
from the wiki [1] I arrived at the API spec, where I see that there 
are some restrictions as to what domains the extension can work with.

The extension has to specify in its Manifest from which domains it wishes
to receive messages. The example given is:

"externally_connectable": {  
"matches": ["*://**"]

So clearly this allows cross origins use of the extension, which can presumably 
keep data in the external application and then use that to communicate with the
other sites specified in the manifest.

Where in the case of FIDO we have the web site limiting the use of key within
some limits imposed on it, here we have the extension limiting which sites can
use it.

This would actually be much more interesting if one could devise a method by
which extensions could securely and without name clashes work with any site.
Here it seems a bit half way in both directions.

As I said I am new to this space, so I am happy to be corrected here.




Received on Thursday, 1 October 2015 20:02:54 UTC