W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Origin-scoped cache/cookie/storage context

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 11 Jan 2014 16:43:36 +0000
Message-ID: <CADnb78jKicTOzTe+ajQ+ZoLxwAEin8pBc9OAGM_eUTYu0fSESA@mail.gmail.com>
To: Nasko Oskov <nasko@chromium.org>
Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, TAG <www-tag@w3.org>, Charlie Reis <creis@chromium.org>
On Fri, Jan 10, 2014 at 6:09 PM, Nasko Oskov <nasko@chromium.org> wrote:
> We have actually attempted implementing such isolation based on ideas in a
> paper [ http://www.charlesreis.com/research/publications/ccs-2011.pdf ]
> by Charlie Reis, Adam Barth, et al.


> The example scenario that is confusing for the user is a
> news site with social networking buttons, which when clicked lead to
> authentication prompts, even though the user is already logged into the
> social network.

Yeah, this feature does not seem ideal for that kind of site. I guess
the way iOS deals with this scenario is providing elevated access to
Facebook and Twitter, which works fine, but does not really scale well
and would not be a suitable solution on the web.

> Our decision was to try and achieve the same end result though different
> means, due to how we implement and enforce partitioning. We are currently
> working on the first piece needed to get us there.

Could you elaborate on this?

> If you are interested in glory details of why it didn't work as users expect
> it, let me know and I'll be happy to explain.

Assuming that once the user clicked the social network button that
would lead to some inline popup and not a top-level navigation, I
think I understand.

Received on Saturday, 11 January 2014 16:44:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:36 UTC