W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: Serialized suborigins

From: Joel Weinberger <jww@chromium.org>
Date: Fri, 13 Sep 2013 15:50:25 -0700
Message-ID: <CAHQV2K=M3HQtaZOyf-0h9tqrkkAFevRGFrBBqn3X3iXuN8QD4A@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Regarding ports, I just meant to include the port somewhere since we ought
to support non-port 80 HTTP, etc. Didn't mean that to convey anything
beyond the regular scheme/host/port origin combination. Other comments are
inlined below.


On Thu, Sep 12, 2013 at 12:03 PM, Michal Zalewski <lcamtuf@coredump.cx>wrote:

> Hey,
>
> Honestly, I'm a bit struggling to understand what's the key benefit of
> doing suborigin://hashed-concat versus suborigin://non-hashed-concat -
> in that both of these representations will not be literal string
> matches for any existing origin if done sensibly (and using a literal
> suborigin:// further alleviates most fears).
>
One of the concerns brought up earlier is origin comparisons by non-browser
entities and trying to avoid matches at all cost. I agree that it seems
unlikely to get a match in a plugin, for example, if we did a
non-hashed-concat representation, but as I see it, why risk it? I could see
some crazy world in where somewhere deep in Flash, it does an origin
comparison that somehow skips whatever delimiter we have in place. But
you're right, I'm not too worried about it, so I'm certainly not tied to
the hash example.

>
> In either case, I think that keeping the communications between
> origins simple and intuitive should be a goal for both approaches.
> Perhaps base64 or rot13 is indeed a better idea.
>
Agreed, and either of those sounds good to me. Hashing just came to mind
first, but, yeah, both of those have properties that probably better
support what we care about.

>
> I agree with Brad's concern about having to preserve protocol, perhaps
> as a part of the hash.
>
Absolutely, and that was just an error in my proposal.  HASH really should
be a combination of *protocol*, hostname, and suborigin.

>
> /mz
>
Received on Friday, 13 September 2013 22:50:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC