- From: Joel Weinberger <jww@chromium.org>
- Date: Mon, 31 Aug 2015 22:57:33 +0000
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, Tony Arcieri <bascule@gmail.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAHQV2K=9bD+BKFiVJR1CWy+LEZwMnNyRxxMM5vXY-OyuM5CMTA@mail.gmail.com>
I'm pretty confused by your premise. Mobile platforms (admittedly I'm much more familiar with Android than iOS) have a hard enforced SOP (albeit defined per-app rather than per scheme/host/port triple). On Android, this is a hard process boundary. Anything outside of that must be done via an API. Notably, the permissions that rest with apps tend to be more permissive on mobile than on the Web (such as socket access), but that's an orthogonal issue. Is your objection just that scheme/lhost/port isn't the right same-origin boundary? If so, what is the right boundary (that also holds backwards compatibility)? --Joel On Sun, Aug 30, 2015 at 9:59 PM Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > On 2015-08-31 01:08, Tony Arcieri wrote: > > On Sat, Aug 29, 2015 at 1:21 AM, Anders Rundgren < > <anders.rundgren.net@gmail.com>anders.rundgren.net@gmail.com> wrote: > >> A core part of the Web Security model is based on SOP. >> >> However, the world (outside of the Web) isn't working according this >> model; it is rather ad-hoc. >> >> This has lead to the "App-explosion" which is better aligned (for good or >> for worse) to needs of the world than a SOP-crippled Web. >> > > I think this argument is a total non-sequitur. On the desktop we saw a > huge shift away from native applications to web-based ones. It's only on > the mobile web that we see the reverse. If SOP is holding back the mobile > web, why did we see the opposite on the desktop? > > > For security-related applications of the kind I mentioned (e.g. payments), > the desktop Web haven't progressed much. Even on the desktop, "Apps" have > (through rather clumsy OOB-arrangements), essentially been the only > improvement that have gotten any traction worth mentioning. SOP-crippled > solutions like WebCrypto doesn't really cut it. > > The W3C WebCrypto.Next effort targeting smart cards etc. was shelved. > AFAICT, they among many things ran into the SOP roadblock (restricting a > card/key to a domain). Workarounds are imaginable but then you get hit by > the permission-monster: http://webpki.org/papers/permissions.pdf > > > > I think the deficiencies of the mobile web have a lot more to do with > performance, both on a limited mobile connection and with more limited > hardware. > > What is your reasoning that the limitations of SOP are driving the shift > from mobile web to native apps, and why did we see the opposite on the > desktop. > > -- > Tony Arcieri > > >
Received on Monday, 31 August 2015 22:58:10 UTC