W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 26 Sep 2015 03:56:27 +0200
To: Alex Russell <slightlyoff@google.com>
Cc: public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
Message-ID: <5605FB4B.8060008@gmail.com>
On 2015-09-25 22:31, Alex Russell wrote:
> If by "dead silence" you mean "constructive proposals to bridge the gap" [1], then yes, you're correct,
> [1] https://discourse.wicg.io/t/rfc-proposal-for-new-web-payments-api/1100

Thanx Alex,
It is great to see a concrete contribution. Apparently Microsoft is interested as well.

May I take the liberty of commenting a bit on the proposal (as it stands today) with the
subject line and webappsec/web-security as context?

The proposal doesn't refer to SOP (there is no security considerations section).
The proposal instead relies on a browser-based mediator UI where the user decides
what is OK and what is not.  Isn't this pretty much what this lengthy debate
really was about in the first place?

Apple Pay is mentioned.  This system already have a UI which IMO seems to clash
with the idea that browsers should be equipped with payment UIs.

The proposal claims to add security to the plot by enabling new protocols to the Web.
I would be cautious about such promises.  Even the initial paymentRequest is likely
to be a part of new protocols making browsers subject to constant and fairly
application-specific updates, or alternatively, stall innovation.

Is there another way?  Yes, nuking the browser payment API concepts, and rather
standardize/improve Native Messaging which also have a gazillion of other applications.
The security properties for payments should be fully comparable as far as I can tell.


> On Wed, Sep 23, 2015 at 12:42 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>     In my opinion the #1 problem with this discussion is that when you mention
>     things that doesn't match the SOP vision like the fact that Android-, Apple-,
>     and Samsung-Pay doesn't work on the Web, dead silence is all you get.
>     -- Anders
Received on Saturday, 26 September 2015 01:57:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC