W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: Eduardo' Vela\ <evn@google.com>
Date: Thu, 12 Feb 2015 23:23:35 +0100
Message-ID: <CAFswPa-0Pxr_3fkhihqY-2qb++ON6DRbCDZ9XgVfSVfCGzXvpg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mounir Lamouri <mlamouri@google.com>, Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Deian Stefan <deian@cs.stanford.edu>, Devdatta Akhawe <dev.akhawe@gmail.com>, David Baron <dbaron@dbaron.org>, Mike West <mkwst@google.com>, Daniel Veditz <dveditz@mozilla.com>, Jeffrey Yasskin <jyasskin@google.com>, Brad Hill <hillbrad@gmail.com>, David Ross <drx@google.com>, Martin Thomson <martin.thomson@gmail.com>
So EPR breaks the web because Referrer enforcement is broken and can't be
used as a security control effectively. That's why you mentioned Origin and
HTTPS. Since Referrer enforcement is less likely to break over SSL and
Origin works differently.

I see, it all makes sense now.
On Feb 12, 2015 10:52 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

> On Thu, Feb 12, 2015 at 9:50 PM, Eduardo' Vela" <Nava> <evn@google.com>
> wrote:
> > Hmm, I think I didn't explain myself correctly.
>
> I thought you did.
>
>
> > The concern is that, say, if EPR was implemented, sites like Facebook or
> the
> > WSJ could block Google, or Bing from linking to their site.
> >
> > Other concern is that, for example, Bugzilla or github could break links
> in
> > a way that I couldn't bookmark them or store them in delicio.us.
> >
> > Other concern is that, for example, Yahoo News could be linked to from
> Bing
> > but not DuckDuckGo.
> >
> > Did I miss any concerns on EPR vs. The Web?
>
> Directly linking to "subresources" of an EPR site, presumably.
>
>
> > Which of these concerns is impossible without EPR? Say, with Referrer
> > checking.
>
> As I said, if you implement Referer checking you might end up breaking
> your own site for a number of users due to weird firewall policies.
> See past research on that header. I think it was done by Adam Barth.
>
>
> > Is the concern that EPR will make this practice mainstream?
>
> It's a concern, certainly.
>
>
> --
> https://annevankesteren.nl/
>
Received on Thursday, 12 February 2015 22:24:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC