- From: Brian Smith <brian@briansmith.org>
- Date: Mon, 9 Feb 2015 03:41:02 -0800
- To: Jim Manico <jim.manico@owasp.org>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Jim Manico <jim.manico@owasp.org> wrote: >> The general thrust is "Don't run third-party JavaScript in your site's context." and "Don't serve ads that require DOM access" > > Mike, this shuts down the vast majority of the internet advertising > industry and doesn't seem realistic, especially for media-centric > endeavors. What is the endgame here, sandboxing or forcing the ad > industry to fundamentally change? My suggestions here definitely are solely about applying the principle of least privilege to ads and other third-party code that is commonly embedded on pages. It's not about hurting advertisers or eliminating their access to any information they need access to. My suggestions are purely about eliminating the ability of a compromised ad/widget server to compromise the security of every origin that embeds its content. I think it is likely that the current capabilities of iframe sandbox are insufficient to satisfy the (perceived) needs of such third-party widgets, but I think that's something that can be fixed. But, solutions require more input from the people that build and use these widgets. For example, you say that my suggestion doesn't seem realistic "especially for media-centric endeavors." It would be great to hear from you and others about why it is unrealistic now. Cheers, Brian
Received on Monday, 9 February 2015 11:41:32 UTC