- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sat, 29 Aug 2015 10:21:12 +0200
- To: "public-web-security@w3.org" <public-web-security@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
A core part of the Web Security model is based on SOP. However, the world (outside of the Web) isn't working according this model; it is rather ad-hoc. This has lead to the "App-explosion" which is better aligned (for good or for worse) to needs of the world than a SOP-crippled Web. Since SOP (if taken literally) would more or less kill the Web, the "Super-Providers" have come to rescue. That is, browsers still adhere to SOP but this is effectively short-circuited by services like PayPal which enable payments to any domain. This is where it (IMO) gets wrong. If Super-Providers are trusted for mediating access to arbitrary domains, why couldn't [properly designed] applications also perform this task? In addition, payments and authentication (to take an example), typically exhibit quite different privacy- and security-characteristics making the SOP-hammer a pretty blunt tool. -- Anders
Received on Saturday, 29 August 2015 08:21:48 UTC