W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [webappsec] Rechartering: Sub-Origins

From: Nottingham, Mark <mnotting@akamai.com>
Date: Sat, 22 Nov 2014 19:57:23 -0600
To: Brian Smith <brian@briansmith.org>
CC: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <DC4B85FB-6DF7-4C11-B7A3-7E8905BD4B42@akamai.com>
Catching up…


> On 11 Nov 2014, at 12:26 pm, Brian Smith <brian@briansmith.org> wrote:
> 
> On Mon, Nov 10, 2014 at 3:53 PM, Brad Hill <hillbrad@gmail.com> wrote:
>> I guess that is a (likely unintended) consequence of the feature.
> 
> I also assume that if it is a consequence, it is unintended.
> 
>> Adversarial blocking tools like this are always going to lead to an
>> arms race / cat-and-mouse / pick your metaphor for neverending
>> game-theoretic churn.  Once there's enough money at stake, the
>> decision to take the risk will probably be made, with or without good
>> mitigation technologies available. Do we want to sacrifice the ability
>> to more easily partition applications in to securable components for a
>> position in that battle that will surely be overrun anyway?
> 
> I think it is good to recognize the issue, and ask for feedback from
> people on the pro-tracking-protection side. I forwarded part of the
> thread to the relevant people at Mozilla. It may be the case that
> there is a way to avoid the negative unintended consequence without
> sacrificing the security benefits. At least, I think that should be a
> goal.

+1

In particular, it’s concerning that we’re creating a new artefact on the Web that has all of the properties of an origin, but it can’t be discriminated from other origins using the same (scheme, host, port) tuple — as most things do.

Cheers,

--
Mark Nottingham    mnot@akamai.com   http://www.mnot.net/


Received on Sunday, 23 November 2014 01:59:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC