W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 12 Feb 2015 22:52:55 +0100
Message-ID: <CADnb78i_uXfs21BUyM6Po5CHyyBSsM9R7QQUBhC5HPBr=4YkfQ@mail.gmail.com>
To: "Eduardo' Vela <Nava>" <evn@google.com>
Cc: Mounir Lamouri <mlamouri@google.com>, Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, Deian Stefan <deian@cs.stanford.edu>, Mike West <mkwst@google.com>, David Baron <dbaron@dbaron.org>, Jeffrey Yasskin <jyasskin@google.com>, Daniel Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, David Ross <drx@google.com>, Martin Thomson <martin.thomson@gmail.com>
On Thu, Feb 12, 2015 at 9:50 PM, Eduardo' Vela" <Nava> <evn@google.com> wrote:
> Hmm, I think I didn't explain myself correctly.

I thought you did.

> The concern is that, say, if EPR was implemented, sites like Facebook or the
> WSJ could block Google, or Bing from linking to their site.
> Other concern is that, for example, Bugzilla or github could break links in
> a way that I couldn't bookmark them or store them in delicio.us.
> Other concern is that, for example, Yahoo News could be linked to from Bing
> but not DuckDuckGo.
> Did I miss any concerns on EPR vs. The Web?

Directly linking to "subresources" of an EPR site, presumably.

> Which of these concerns is impossible without EPR? Say, with Referrer
> checking.

As I said, if you implement Referer checking you might end up breaking
your own site for a number of users due to weird firewall policies.
See past research on that header. I think it was done by Adam Barth.

> Is the concern that EPR will make this practice mainstream?

It's a concern, certainly.

Received on Thursday, 12 February 2015 21:53:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC