W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: iframe sandbox for third-party widgets and ads (was Re: [CSP] Clarifications on nonces)

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 09 Feb 2015 19:23:34 +0000
Message-ID: <CAEeYn8jMHYOsM=ZHJaMhSkOENq=rB8pKxsWSWYPVESO5BqOPWA@mail.gmail.com>
To: Jim Manico <jim.manico@owasp.org>
Cc: Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
There is probably an opportunity, if enough important providers of
placement inventory are interested,  to sell "secure" placements, so long
as the demand side has the tools to easily build secure creative content
and is confident that they can reliably author it one time and it will work
with many different providers.

I don't think there is a realistic opportunity to create a market for N
different and incompatible flavors of "secure" placement, where N = the
Cartesian product of fine-grained feature flags.  The inconsistency, extra
effort and uncertainty involved in creating such ads will be a much
stronger deterrent to their adoption than any particular technical
restriction they might be subject to.

On Mon Feb 09 2015 at 11:04:46 AM Jim Manico <jim.manico@owasp.org> wrote:

> > From my perspective, the easiest way to accommodate that demand-side
> feature pressure is not a bunch of fine-grained feature flags, but
> prioritizing a model that can be easily integrated into the *authoring
> tools* for advertising creative content
>
> Brad, if you want effective authoring tools for "advertising creative
> content" that can access •some• of the DOM, I think fine-grained feature
> flags will be needed.
>
> And someone please shoot me for discussing advertiser concerns. I feel
> dirty.
>
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Feb 9, 2015, at 7:49 PM, Brad Hill <hillbrad@gmail.com> wrote:
>
> <hat=individual>
>
> In the end, like so much of security, this is going to boil down to
> economics and incentives.  We should take it as a given that we are not
> going to solve everybody's problem and create a perfect security utopia for
> advertising.
>
> What we can do is create primitives that allow those on the supply-side
> who care to offer reasonable security guarantees without having to turn
> away too much demand.
>
> From my perspective, the easiest way to accommodate that demand-side
> feature pressure is not a bunch of fine-grained feature flags, but
> prioritizing a model that can be easily integrated into the *authoring
> tools* for advertising creative content, so that it is clear to agencies
> what will work and how they can build stuff that will be supported in a
> "secure" ad placement.
>
> -Brad
>
> On Mon Feb 09 2015 at 4:29:49 AM Jim Manico <jim.manico@owasp.org> wrote:
>
>> > It would be great
>> to hear from you and others about why it is unrealistic now.
>>
>> If you want to get premium-level compensation from some ad providers
>> then you need to give them full DOM access.  This "goes away" in a
>> world where ads are fully sandboxed or not allowed DOM access.
>>
>> I am just wondering is the end game to shut this down or perhaps
>> provide a more flexible sandbox? I am hoping a flexible sandbox is the
>> end game.
>>
>> If there is a configurable ad-friendly web standard for DOM accessible
>> advertising, please point me in the direction.
>>
>> Aloha,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> > On Feb 9, 2015, at 12:55 PM, Mike West <mkwst@google.com> wrote:
>> >
>> > It would be great
>> > to hear from you and others about why it is unrealistic now.
>>
>>
Received on Monday, 9 February 2015 19:24:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC