W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: Eduardo' Vela\ <evn@google.com>
Date: Thu, 12 Feb 2015 21:32:34 +0100
Message-ID: <CAFswPa-6=uFjPFOkTJ+wtK-_4L5-3j48uVTpry55A58dj50UZg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mounir Lamouri <mlamouri@google.com>, Daniel Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Deian Stefan <deian@cs.stanford.edu>, Devdatta Akhawe <dev.akhawe@gmail.com>, David Baron <dbaron@dbaron.org>, Mike West <mkwst@google.com>, Jeffrey Yasskin <jyasskin@google.com>, Brad Hill <hillbrad@gmail.com>, David Ross <drx@google.com>, Martin Thomson <martin.thomson@gmail.com>
The status quo is that someone that wanted to make deep linking impossible
on their site, would need to 403 all requests without the right referrer.

That works for people that want to break the web. But not for people that
want to use it as a security control.

EPR changes nothing. It merely formalizes a security control that browsers
themselves use (you can't navigate to chrome://settings or config:flags).
On Feb 12, 2015 9:09 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

> On Thu, Feb 12, 2015 at 8:01 PM, David Ross <drx@google.com> wrote:
> >> Why does the intended audience of the feature matter? What matters is
> >> what it does and how it can be used, no?
> >
> > I'll assume that the primary concern is with apps / sites that
> > unintentionally block deep links due to legitimate EPR usage.  In this
> case
> > the intended audience matters because it's targeted.
> I'm not sure what the primary concern is. Making it impossible to
> navigate to (or embed?) resources without going through a front door,
> legitimate or not, is a concern.
> >> There are other ways we could limit some of these too I think. E.g. by
> >> introducing first-party and/or same-origin cookies.
> >
> > I think that would address XSRF but not XSS.  (?)
> Well, that's one down, one to go.
> So XSS is still a concern, but CSP helps with that. E.g. you could
> have very restrictive CSP on all but a few pages that you control
> carefully. That would be much less damaging to the web I think.
> --
> https://annevankesteren.nl/
Received on Thursday, 12 February 2015 20:33:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC