W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 29 Sep 2015 00:20:39 -0500
Message-ID: <CAHOTMVJmC4652qDFxSCW6_kU6LdagbthB1uQHyoTZ9P_deAgXA@mail.gmail.com>
To: "henry.story@bblfish.net" <henry.story@bblfish.net>
Cc: Alex Russell <slightlyoff@google.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On Mon, Sep 28, 2015 at 4:56 PM, henry.story@bblfish.net <
henry.story@bblfish.net> wrote:

> This whole wiki page has so many problems it's effectively a gish gallop*,
> preventing meaningful conversation because no one could possibly respond to
> all of the problems.
> Just start with one or two you find will make your case the best.

Well, here's some text I assumed you added in response to my criticisms of
the document originally saying that cookies follow SOP:

Cookies, as specified by RFC6265: HTTP State Management Mechanism
<http://tools.ietf.org/html/rfc6265> implement a fuzzy notion of single
origin. We can distinguish two notions of Single Origin:

   - a strong notion of Single Origin where two origins are identical only
   if they are named by the same protocol, domain, port triple
   - a weak notion of Single Origin where the two origins are identical if
   they refer to the same agent.

It's not the "Single Origin policy", it's the *same-origin policy*.
Furthermore, there is no "strong" or "weak" notion of it. The origin *must
be the same*.

Regarding RFC-6265, let's see what it actually has to say:

   For historical reasons, cookies contain a number of security and
   privacy infelicities.  For example, a server can indicate that a
   given cookie is intended for "secure" connections, but the Secure
   attribute does not provide integrity in the presence of an active
   network attacker.  Similarly, cookies for a given host are shared
   across all the ports on that host, even though the usual "same-origin
   policy" used by web browsers isolates content retrieved via different

RFC-6265 is in effect telling us that cookies are broken because a long
time ago Netscape made some bad decisions.

> Perhaps we can start simple:
>  - what definition of SOP do you use, or do you think we should use?  I
> cited the IETF RFC defining SOP which I read carefully.

It's pretty simple. First, it's the "same-origin policy". Second, it works
like this:

Scheme/Protocol: Identical
Host: Identical
Port: Identical

Anything besides this is not following SOP.

Tony Arcieri
Received on Tuesday, 29 September 2015 05:21:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC