Re: A Somewhat Critical View of SOP (Same Origin Policy) from henry.story@bblfish.net on 2015-09-28 (public-web-security@w3.org from September 2015)

From: <henry.story@bblfish.net>
Date: Mon, 28 Sep 2015 22:56:41 +0100
To: Tony Arcieri <bascule@gmail.com>
Cc: Alex Russell <slightlyoff@google.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-Id: <AA5558DF-680F-4482-8925-474D1A177179@bblfish.net>

> On 28 Sep 2015, at 20:27, Tony Arcieri <bascule@gmail.com> wrote:
> 
> On Monday, September 28, 2015, Alex Russell <slightlyoff@google.com <mailto:slightlyoff@google.com>> wrote:
> Extension APIs are, by definition, outside SOP; not only do they break SOP they exist primarily to subvert it (e.g., content scripts).
> 
> This is basic stuff. It's hard to have a conversation about such a complicated area without shared understanding of the basics.
> 
> I really have to agree.


If something is trying to subvert SOP and is existing in the browsers then it seems worth mentioning. I don't actually yet have a good understanding of this technology. It may be worth understanding why it tries to subvert it, and what security pieces are put in place to get over the dangers of doing so.

> This whole wiki page has so many problems it's effectively a gish gallop*, preventing meaningful conversation because no one could possibly respond to all of the problems.

Just start with one or two you find will make your case the best.

> 
> In an area where there is not only rough consensus and running code, but precise definitions, specifications, and a common nomenclature, this document does a lot of redefining of terms (most notably SOP itself), that is when it's not making slippery slope arguments around the security guarantees SOP can provide and suggesting we give up because SOP is not the universal panacea for all problems.
> I can cite some specific examples for the curious, but I'm not going to run the gish gallop.

Perhaps we can start simple: 
 - what definition of SOP do you use, or do you think we should use?  I cited the IETF RFC defining SOP which I read carefully.
 - Do you think that none of the 7 listed actual technologies goes beyond SOP? Which ones? With reference to your definition, why? Do you agree that some actually go beyond SOP?

  https://www.w3.org/Security/wiki/IG/a_view_on_SOP <https://www.w3.org/Security/wiki/IG/a_view_on_SOP>

Again the aim here is not to show that SOP is wrong. If you think that they you will consistently misunderstand us. 



Social Web Architect
http://bblfish.net/

Received on Monday, 28 September 2015 21:57:12 UTC