Re: A Somewhat Critical View of SOP (Same Origin Policy)

On Mon, Aug 31, 2015 at 9:52 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> The reality of the cryptographic technologies WebCrypto hoped to unlock
>> in-browser is they're rarely used,
>>
>
> The is a US-centric view.


And yours is an identity-centric view of the possibilities of web
cryptography ;)

Since neither You nor Google/Microsoft/Apple/Mozilla/Whatever haven't told
> us anything on how *they* think that any number of unrelated merchants
> should/could get access to a client's payment resources on Web, we are
> apparently awaiting "Divine Intervention" :-)


I like the idea of Stripe-style payment widgets. These allow payment tokens
to be provisioned on a particular origin, and payments made via
JS/communicating iframes.

There are obviously a lot of unsolved concerns around this approach,
particularly around things like secure content embedding, phishing,
clickjacking, etc. The Position Observer API proposal looks interesting in
that regard:

https://github.com/slightlyoff/PositionObserver/blob/master/explainer.md

-- 
Tony Arcieri

Received on Tuesday, 1 September 2015 05:16:57 UTC