Re: A Somewhat Critical View of SOP (Same Origin Policy) from Tony Arcieri on 2015-09-28 (public-web-security@w3.org from September 2015)

From: Tony Arcieri <bascule@gmail.com>
Date: Mon, 28 Sep 2015 12:27:45 -0700
To: Alex Russell <slightlyoff@google.com>
Cc: Anders Rundgren <anders.rundgren.net@gmail.com>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, "henry.story@bblfish.net" <henry.story@bblfish.net>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <CAHOTMVKRaOo7tyOHXfVpY8gHwkxqHjtrF_+P=M4sRm2n82d0sQ@mail.gmail.com>

On Monday, September 28, 2015, Alex Russell <slightlyoff@google.com> wrote:
>
> Extension APIs are, by definition, outside SOP; not only do they break SOP
> they exist primarily to subvert it (e.g., content scripts).
>
> This is basic stuff. It's hard to have a conversation about such a
> complicated area without shared understanding of the basics.
>

I really have to agree. This whole wiki page has so many problems it's
effectively a gish gallop*, preventing meaningful conversation because no
one could possibly respond to all of the problems.

In an area where there is not only rough consensus and running code, but
precise definitions, specifications, and a common nomenclature, this
document does a lot of redefining of terms (most notably SOP itself), that
is when it's not making slippery slope arguments around the security
guarantees SOP can provide and suggesting we give up because SOP is not the
universal panacea for all problems.

I can cite some specific examples for the curious, but I'm not going to run
the gish gallop.

My only real request for this Wiki page is it be given a more appropriate
name, like "Criticisms of the Same-Origin Policy" (which this document
confusingly and repeatedly calls "Single-Origin Policy", itself a testiment
to the overall degree of misunderstanding happening here)

[1]: http://rationalwiki.org/wiki/Gish_Gallop

-- 
Tony Arcieri

Received on Monday, 28 September 2015 19:28:13 UTC