RE: A Somewhat Critical View of SOP (Same Origin Policy) from Mike O'Neill on 2015-08-29 (public-webappsec@w3.org from August 2015)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sat, 29 Aug 2015 15:56:02 +0100
To: "'Anders Rundgren'" <anders.rundgren.net@gmail.com>, <public-web-security@w3.org>, <public-webappsec@w3.org>
Message-ID: <014c01d0e26a$d39459b0$7abd0d10$@baycloud.com>

Hardly orthogonal, but we are clearly poles apart.

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com] 
Sent: 29 August 2015 12:54
To: Mike O'Neill <michael.oneill@baycloud.com>; public-web-security@w3.org; public-webappsec@w3.org
Subject: Re: A Somewhat Critical View of SOP (Same Origin Policy)

On 2015-08-29 13:23, Mike O'Neill wrote:
> Yes, a single legal entity (like a company) can control several origins,
  > and a single origin can be controlled by many entities (via subdomains).
  > The SOP needs to be re-enforced by a Single Entity Policy, i.e. by secure
  > declaration of what legal entity manages a subdomain or domain (or set of them)

I must confess that I don't understand how such a scheme could serve average Web users.

Anyway, this proposal seems orthogonal to what I'm talking about.

-- Anders

> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com]
> Sent: 29 August 2015 09:21
> To: public-web-security@w3.org; public-webappsec@w3.org
> Subject: A Somewhat Critical View of SOP (Same Origin Policy)
>
> A core part of the Web Security model is based on SOP.
>
> However, the world (outside of the Web) isn't working according this model; it is rather ad-hoc.
>
> This has lead to the "App-explosion" which is better aligned (for good or for worse) to needs of the world than a SOP-crippled Web.
>
> Since SOP (if taken literally) would more or less kill the Web, the "Super-Providers" have come to rescue.  That is, browsers still adhere to SOP but this is effectively short-circuited by services like PayPal which enable payments to any domain.
>
> This is where it (IMO) gets wrong.  If Super-Providers are trusted for mediating access to arbitrary domains, why couldn't [properly designed] applications also perform this task?
>
> In addition, payments and authentication (to take an example), typically exhibit quite different privacy- and security-characteristics making the SOP-hammer a pretty blunt tool.
>
> -- Anders
>
>

Received on Saturday, 29 August 2015 14:56:30 UTC