Re: [whatwg/fetch] Proposal: Allow servers to take full responsibility for cross-origin access protection (#878) from sleevi on 2019-03-08 (public-webapps-github@w3.org from March 2019)

From: sleevi <notifications@github.com>
Date: Fri, 08 Mar 2019 10:48:33 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/878/471034481@github.com>

@jakearchibald I think it's fair to say that there are two points - one which is a suggestion that existing functionality should not have changed, and another suggesting there should be a guarantee not only that existing functionality won't change, but that servers won't need to change to take advantage of new platform features (or relax any newly tightened restrictions on existing features)

I think both could have some parallels drawn to the discussion between Mixed Content. Historically, UAs were very lax in their permissiveness of both active and passive mixed content. Developers were allowed to choose what they felt was the appropriate trade-off between security/privacy and functionality, and thus would very often load HTTP content into the context of HTTPS, exchange cookies around between the two, etc.

The desire is reasonable, but I think it runs into challenges when faced with the [Priority of Constituencies](https://www.w3.org/TR/html-design-principles/#priority-of-constituencies) and [Secure by Design](https://www.w3.org/TR/html-design-principles/#secure-by-design)

The former prevents being able to guarantee that nothing will ever change - as UAs need to ensure that the User's needs and wishes are first and foremost respected - while the latter means that new features need to consciously consider whether there are risks to introducing them, and if so, ensure that they are introduced in a way that can safely reasoned about.

The problem with a default opt-out is that it cannot be safely reasoned about, because at the time the opt-out was made, the information wasn't available. There's no way the developer could have made a (truly) informed choice, and it seems that some of the discussion of the problem is really a difference in philosophy about whether or not the developer was making an informed choice.

The problem with guaranteeing there won't be behaviour changes is that, as you highlighted, our understanding of the Web Platform and its security evolves over time, as do the needs of the users, and so that the Web evolves around those. This is fundamentally reflected in the nature of this spec being a Living Standard - things change.

Independent of exploring solutions, it may be that there is a fundamental disagreement on the nature and validity of the problem, and whether or not web developers or user agents should be the arbiters of user security, both presently and in the future. This is an inherent tension UAs face - users want and benefit from powerful new functionality and features that enable otherwise inaccessible use cases, but users also want privacy and security and safety when interacting with the Web Platform.

@RubenVerborgh Do you feel that I've accurately captured some of the tension in perspective?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/878#issuecomment-471034481

Received on Friday, 8 March 2019 18:48:55 UTC