Re: [w3ctag/design-reviews] Securer Contexts (#471)

> it does not help with window.frames and "cross-origin" history manipulation, which is fine, but adds some confusion as they are part of the threat model.

I think that COOP/COEP would help mitigate this threat (insofar as it would require victims to opt-into being attackable (which, hopefully, they wouldn't do)). Given the cross-origin/cross-frame nature of both `window.frames` and `window.history`, it seems clear that at least this aspect of their behavior should be gated on those features. As you say, they fit the threat model.

The question, then, is how we ratchet down over time. I think that's more a practical question of deployability than one of principle. It seems quite possible to begin holding new APIs to a reasonable standard, and at the same time begin to figure out how to hold older APIs to the same.

The primary feedback I'm hoping to get at this point is whether the threat model itself is the one we ought to keep in mind when considering how to ship new features. If so, then we can figure out together what lines we'll be able to practically draw around which set of APIs.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/471#issuecomment-582493248

Received on Wednesday, 5 February 2020 16:31:59 UTC