W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 28 Sep 2015 23:56:03 +0200
To: public-web-security@w3.org
Cc: Alex Russell <slightlyoff@google.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, "henry.story@bblfish.net" <henry.story@bblfish.net>
Message-ID: <1745331.03vxpIy4jb@hegel>
On Monday 28 September 2015 11:20:47 Alex Russell wrote:
> Extension APIs are, by definition, outside SOP; not only do they break SOP
> they exist primarily to subvert it (e.g., content scripts).
> This is basic stuff. It's hard to have a conversation about such a
> complicated area without shared understanding of the basics.

True, so help us understand! As this is basics and misunderstanding, can you 
detail or provide a link to an explanation why the SOP is designated to work 
against the client providing some local resources?

If I want to protect data on the server, I can understand your interpretation. 
Because if I have a server-centric view, of course, localhost is my enemy 
capable of injecting malicious things into the scripts. But if I have a user-
agent centric view, I may trust stuff on my operating system more than stuff 
coming over the network, origin or not. And I may trust an origin sufficiently 
to make stuff available to it. But "break" the SOP by allowing access to local 
stuff from a script coming from the same known origin? What about local 
storage and SOP? The sqlite is running on localhost. Breaks the SOP?

I think the basics are much less clear than some believe they are. But in 
one's belief, those are always clear. I stepped over that stone many times. 


Received on Monday, 28 September 2015 21:56:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC