- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sun, 9 Nov 2014 20:45:00 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: Michal Zalewski <lcamtuf@coredump.cx>, Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "eisinger@google.com" <eisinger@google.com>
> > I believe Google Analytics can be contained in an iframe sandbox > already, if one "just" writes a wrapper around it that uses the GA API easier said than done ;) And GA is just one example. > Your example use case was a help page that is linked to from a secret > URL, where you don't want the secret URL to be leaked to analytics or > ads via document.referrer, right? Isn't this use case already covered > decently by these two existing mechanisms: Sure. All problems have some sort of hacky painful solution right now. XSS also can be solved with sanitization/validation; why do we need CSP? Sub-origins can be achieved with a caja or iframe sandboxing. But CSP and sub-origins allow security engineers to reason about their applications and its security. Similarly, the referer directive. Of course we can solve problems without the referer directive---that's what everyone is doing right now. That doesn't mean it is a robust or ideal solution. > more in line with the extensible web idea of letting web content take > control over what it does while adding fewer new things to browsers. Sorry but I strongly disagree. The extensible web manifesto is definitely not about adding fewer new things to browsers. Quite the opposite actually. If anything, the extensible web manifesto would likely suggest that it shouldn't just be that I am allowed to set the referer policy as a URI; I should be allowed to set it via a ServiceWorker that looks at the page context and can make a decision for each individual request. And even with such a feature, extensible web manifesto definitely does not preclude the creation of new (even declarative) features for ease of use. cheers Dev
Received on Monday, 10 November 2014 04:45:47 UTC