W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Joel Weinberger <jww@chromium.org>
Date: Mon, 31 Aug 2015 22:57:33 +0000
Message-ID: <CAHQV2K=9bD+BKFiVJR1CWy+LEZwMnNyRxxMM5vXY-OyuM5CMTA@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Tony Arcieri <bascule@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I'm pretty confused by your premise. Mobile platforms (admittedly I'm much
more familiar with Android than iOS) have a hard enforced SOP (albeit
defined per-app rather than per scheme/host/port triple). On Android, this
is a hard process boundary. Anything outside of that must be done via an
API. Notably, the permissions that rest with apps tend to be more
permissive on mobile than on the Web (such as socket access), but that's an
orthogonal issue.

Is your objection just that scheme/lhost/port isn't the right same-origin
boundary? If so, what is the right boundary (that also holds backwards
compatibility)?
--Joel

On Sun, Aug 30, 2015 at 9:59 PM Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2015-08-31 01:08, Tony Arcieri wrote:
>
> On Sat, Aug 29, 2015 at 1:21 AM, Anders Rundgren <
> <anders.rundgren.net@gmail.com>anders.rundgren.net@gmail.com> wrote:
>
>> A core part of the Web Security model is based on SOP.
>>
>> However, the world (outside of the Web) isn't working according this
>> model; it is rather ad-hoc.
>>
>> This has lead to the "App-explosion" which is better aligned (for good or
>> for worse) to needs of the world than a SOP-crippled Web.
>>
>
> I think this argument is a total non-sequitur. On the desktop we saw a
> huge shift away from native applications to web-based ones. It's only on
> the mobile web that we see the reverse. If SOP is holding back the mobile
> web, why did we see the opposite on the desktop?
>
>
> For security-related applications of the kind I mentioned (e.g. payments),
> the desktop Web haven't progressed much.  Even on the desktop, "Apps" have
> (through rather clumsy OOB-arrangements), essentially been the only
> improvement that have gotten any traction worth mentioning.  SOP-crippled
> solutions like WebCrypto doesn't really cut it.
>
> The W3C WebCrypto.Next effort targeting smart cards etc. was shelved.
> AFAICT, they among many things ran into the SOP roadblock (restricting a
> card/key to a domain).  Workarounds are imaginable but then you get hit by
> the permission-monster: http://webpki.org/papers/permissions.pdf
>
>
>
> I think the deficiencies of the mobile web have a lot more to do with
> performance, both on a limited mobile connection and with more limited
> hardware.
>
> What is your reasoning that the limitations of SOP are driving the shift
> from mobile web to native apps, and why did we see the opposite on the
> desktop.
>
> --
> Tony Arcieri
>
>
>
Received on Monday, 31 August 2015 22:58:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC