W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Origin-scoped cache/cookie/storage context

From: Nasko Oskov <nasko@chromium.org>
Date: Wed, 15 Jan 2014 10:52:46 -0800
Message-ID: <CAA=myAs2Z4bUGqeAMCGw3CJxQ5YmYX0wDjmGEu35ScZw7hT1pA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, TAG <www-tag@w3.org>, Charlie Reis <creis@chromium.org>
On Wed, Jan 15, 2014 at 1:23 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Jan 14, 2014 at 6:46 PM, Nasko Oskov <nasko@chromium.org> wrote:
> > In a pop-up window, the navigation is actually top level. The reason for
> it
> > not working though is that windows with synchronous scripting
> relationships
> > must stay in the same renderer process, hence they cannot use different
> > storage partitions. This causes the user to have to login in a pop-up for
> > each isolated origin, which defeats the purpose of origin isolation.
>
> Could we isolate these similar to <iframe>? Perhaps with a new API?
>

It will have to be a new API or modification to window.open, otherwise we
risk breakage. There is a hack we have in Chromium to work around this, but
having a proper API will be best. We have proposed this in the past, but
didn't go far:
http://wiki.whatwg.org/wiki/Links_to_Unrelated_Browsing_Contexts.


> > While a[t] this, I should mention that we do not isolate on the basis of
> > origins, rather on the concept of "site". It includes the scheme and the
> > registered domain name, so relaxing origin through document.domain is not
> > broken. It excludes subdomains and port numbers.
>
> It seems that if a site opts into this better security model, we could
> go and disable document.domain...
>

While it does sound good in theory, I wonder how well it will fare in
practice. If a site wants the protection, but cannot refactor in reasonable
timeframe to avoid document.domain, then they will be missing on a very
useful protection.

Another issue is how the UI messages this to the user, without very quickly
bringing confusion with "multiple partitions". This is one of the reasons
we decided not to implement partitions for the open web.
Received on Wednesday, 15 January 2014 18:53:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC