W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 12 Feb 2015 08:42:24 +0100
Message-ID: <CADnb78jk_cYXxMdDMgPtZ43OJQTpsWy=JfdEKO8C7pTyhd7WcA@mail.gmail.com>
To: David Ross <drx@google.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Deian Stefan <deian@cs.stanford.edu>, Martin Thomson <martin.thomson@gmail.com>, Brad Hill <hillbrad@gmail.com>, Jeffrey Yasskin <jyasskin@google.com>, Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, Dan Veditz <dveditz@mozilla.com>, Mounir Lamouri <mlamouri@google.com>, David Baron <dbaron@dbaron.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Feb 11, 2015 at 11:09 PM, David Ross <drx@google.com> wrote:
> That being said, I think the criticism is a bit unfair.  EPR is an opt-in
> feature with an intended audience largely separate from those who might wish
> to prevent deep linking on their web sites.

Why does the intended audience of the feature matter? What matters is
what it does and how it can be used, no?

> I don't see any reason to
> believe that we will see excessive and inconsiderate application of EPR
> leading to linkability issues on the web at large.  If a publisher is
> determined to prevent deep linking there are plenty of ways for them to do
> that today, whether they choose to make use of the web platform or not.
> IMO, quashing proposed platform functionality such as EPR constrains
> consumers of the web platform and serves to limit the attractiveness of the
> platform as a whole.

We just want to be cautious.

> EPR helps enable the web platform to support scenarios with very stringent
> security requirements.  For example, XSS or XSRF is an unacceptable failure
> mode for sensitive applications.  (Eg: Administrative consoles)  Authors of
> these sensitive applications sometimes favor implementation as a legacy
> platform app, a mobile app, or even a command line app over the web app
> platform simply because of this security consideration.  I believe it's
> important to provide the _option_ for developers to implement EPR to better
> meet their security requirements.

There are other ways we could limit some of these too I think. E.g. by
introducing first-party and/or same-origin cookies.

Received on Thursday, 12 February 2015 07:42:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC