W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 31 Aug 2015 06:57:56 +0200
To: Tony Arcieri <bascule@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <55E3DED4.7020508@gmail.com>
On 2015-08-31 01:08, Tony Arcieri wrote:
> On Sat, Aug 29, 2015 at 1:21 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     A core part of the Web Security model is based on SOP.
>
>     However, the world (outside of the Web) isn't working according this model; it is rather ad-hoc.
>
>     This has lead to the "App-explosion" which is better aligned (for good or for worse) to needs of the world than a SOP-crippled Web.
>
>
> I think this argument is a total non-sequitur. On the desktop we saw a huge shift away from native applications to web-based ones. It's only on the mobile web that we see the reverse. If SOP is holding back the mobile web, why did we see the opposite on the desktop?

For security-related applications of the kind I mentioned (e.g. payments), the desktop Web haven't progressed much.  Even on the desktop, "Apps" have (through rather clumsy OOB-arrangements), essentially been the only improvement that have gotten any traction worth mentioning.  SOP-crippled solutions like WebCrypto doesn't really cut it.

The W3C WebCrypto.Next effort targeting smart cards etc. was shelved.  AFAICT, they among many things ran into the SOP roadblock (restricting a card/key to a domain).  Workarounds are imaginable but then you get hit by the permission-monster: http://webpki.org/papers/permissions.pdf

>
> I think the deficiencies of the mobile web have a lot more to do with performance, both on a limited mobile connection and with more limited hardware.
>
> What is your reasoning that the limitations of SOP are driving the shift from mobile web to native apps, and why did we see the opposite on the desktop.
>
> -- 
> Tony Arcieri
Received on Monday, 31 August 2015 04:58:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC