W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

RE: A Somewhat Critical View of SOP (Same Origin Policy)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sat, 29 Aug 2015 12:23:30 +0100
To: "'Anders Rundgren'" <anders.rundgren.net@gmail.com>, <public-web-security@w3.org>, <public-webappsec@w3.org>
Message-ID: <008701d0e24d$222d07c0$66871740$@baycloud.com>
Yes, a single legal entity (like a company) can control several origins, and a single origin can be controlled by many entities (via subdomains). The SOP needs to be re-enforced by a Single Entity Policy, i.e. by secure declaration of what legal entity manages a subdomain or domain (or set of them)

Mike


-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com] 
Sent: 29 August 2015 09:21
To: public-web-security@w3.org; public-webappsec@w3.org
Subject: A Somewhat Critical View of SOP (Same Origin Policy)

A core part of the Web Security model is based on SOP.

However, the world (outside of the Web) isn't working according this model; it is rather ad-hoc.

This has lead to the "App-explosion" which is better aligned (for good or for worse) to needs of the world than a SOP-crippled Web.

Since SOP (if taken literally) would more or less kill the Web, the "Super-Providers" have come to rescue.  That is, browsers still adhere to SOP but this is effectively short-circuited by services like PayPal which enable payments to any domain.

This is where it (IMO) gets wrong.  If Super-Providers are trusted for mediating access to arbitrary domains, why couldn't [properly designed] applications also perform this task?

In addition, payments and authentication (to take an example), typically exhibit quite different privacy- and security-characteristics making the SOP-hammer a pretty blunt tool.

-- Anders
Received on Saturday, 29 August 2015 11:23:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC