W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Rigo Wenning <rigo@w3.org>
Date: Tue, 29 Sep 2015 09:36:18 +0200
To: Harry Halpin <hhalpin@w3.org>
Cc: Melvin Carvalho <melvincarvalho@gmail.com>, Brad Hill <hillbrad@gmail.com>, Dave Longley <dlongley@digitalbazaar.com>, public-web-security@w3.org
Message-ID: <2984416.J63QCYvKJq@hegel>
Harry, 

On Monday 28 September 2015 20:21:48 Harry Halpin wrote:
> Again, there is no reason why SOP can't work with zero-knowledge proofs,
> URIs as human-centric identifiers, etc. You simply have to scope the
> authentication mechanism on a per origin basis (again, a very good thing
> for privacy) and then use explicit permissions. This can be done via
> FIDO+OAuth based solutions, and I see no reason why particular
> authenticators (including smartcards, eID systems, etc.) can't do it
> with other authentication and authorization flows.

This seems to be a nice summary of what Anders is trying to tell us for some 
weeks now. And if you add a scope (I would also be worried by unscoped tokens 
that can be replayed), the scope can be SOP or something even more 
restrictive. For the moment, there is no way to express that. So just putting 
an API that lets me talk to EMV is something Brad and Alex have rightly 
criticised. But the current HASEC suggestion isn't proposing such an over 
simplistic approach either. 

 --Rigo
Received on Tuesday, 29 September 2015 07:36:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC