Re: [webappsec] Rechartering: Sub-Origins

Catching up…

> On 11 Nov 2014, at 12:26 pm, Brian Smith <> wrote:
> On Mon, Nov 10, 2014 at 3:53 PM, Brad Hill <> wrote:
>> I guess that is a (likely unintended) consequence of the feature.
> I also assume that if it is a consequence, it is unintended.
>> Adversarial blocking tools like this are always going to lead to an
>> arms race / cat-and-mouse / pick your metaphor for neverending
>> game-theoretic churn.  Once there's enough money at stake, the
>> decision to take the risk will probably be made, with or without good
>> mitigation technologies available. Do we want to sacrifice the ability
>> to more easily partition applications in to securable components for a
>> position in that battle that will surely be overrun anyway?
> I think it is good to recognize the issue, and ask for feedback from
> people on the pro-tracking-protection side. I forwarded part of the
> thread to the relevant people at Mozilla. It may be the case that
> there is a way to avoid the negative unintended consequence without
> sacrificing the security benefits. At least, I think that should be a
> goal.


In particular, it’s concerning that we’re creating a new artefact on the Web that has all of the properties of an origin, but it can’t be discriminated from other origins using the same (scheme, host, port) tuple — as most things do.


Mark Nottingham

Received on Sunday, 23 November 2014 01:59:24 UTC