W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Sub-origins

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 26 Aug 2013 15:09:11 -0700
Message-ID: <CAEeYn8g8gPqdGNg4AT=HDLj57VBBX4LJRGbyj5Q7OZY3O6bauA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Joel Weinberger <jww@chromium.org>

 I wonder what you might say to the following proposal:

Content-Security-Policy: sandbox suborigin:'isolateme'

Where the result of this is to set the origin representation to an
HMAC_SHA256 of the origin with "isolateme" as the key.

This gives the ability to developers to create convenient names for
arbitrary groupings of site functionality, makes it extraordinarily
difficult for off-origin resources to enter the new suborigin, but also
retains the origin concept as a single value string instead of two values,
with the API ripple effects that the latter would have.


On Mon, Aug 5, 2013 at 3:08 AM, Mike West <mkwst@google.com> wrote:

> I like this concept, and I think it fits well as a CSP directive.
> -mike
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> On Sun, Aug 4, 2013 at 1:49 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
>> Joel Weinberger (@metromoxie) wrote a blog post about potentially adding
>> a suborigin feature to the web to help sprawling web domains
>> compartmentalize different parts of a site from each other. Seems
>> relevant to what we're doing in this WG, and CSP is even mentioned as a
>> possible carrier for the suborigin.
>> http://blog.joelweinberger.us/2013/08/suborigins-for-privilege-separation-in.html
>> -Dan Veditz
Received on Monday, 26 August 2013 22:09:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC