Re: A Somewhat Critical View of SOP (Same Origin Policy)

On Saturday 29 August 2015 12:23:30 Mike O'Neill wrote:
> Yes, a single legal entity (like a company) can control several origins, and
> a single origin can be controlled by many entities (via subdomains). The
> SOP needs to be re-enforced by a Single Entity Policy, i.e. by secure
> declaration of what legal entity manages a subdomain or domain (or set of
> them)

This is just calling for large entities being able to control mulit-site 
services. To require SOP being tied to the legal structure is not a solution. 
It looks compelling only on a first glance and evaporates when talking about 
groups of legal persons that are dependent. 

I'm rather with Anders here. I don't think the SOP argument has anything to do 
with the discussion about securing things by hardware. If SOP is the only 
possible scope in your head, we have a problem anyway, Houston...

So I think Anders' message should serve to start the scoping discussion. P.ex. 
I do NOT want to scope something for the same origin, but for "this 
transaction". Coming on with the SOP as a drop dead argument against hardware 
security and TEE is doing the apples and oranges game. Saying an apple is not 
a good orange is not really helpful. 

 --Rigo

Received on Monday, 14 September 2015 11:57:40 UTC