> > Is the concern that EPR will make this practice mainstream?
> It's a concern, certainly.
So how exactly would this all play out if EPR were to get implemented in
browsers? Brian Smith suggested that the concern was all about
*unintended* abuse of EPR. So to me it sounds like the scenario is just
that people become overzealous with implementing EPR on their sites in
order to mitigate XSS / XSRF. To the extent that large and very public
facing sites adopt it (as opposed to the intended "control panel" type
scenarios). Is this the worry?
Dave
On Thu, Feb 12, 2015 at 2:23 PM, Eduardo' Vela" <Nava> <evn@google.com>
wrote:
> So EPR breaks the web because Referrer enforcement is broken and can't be
> used as a security control effectively. That's why you mentioned Origin and
> HTTPS. Since Referrer enforcement is less likely to break over SSL and
> Origin works differently.
>
> I see, it all makes sense now.
> On Feb 12, 2015 10:52 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>
>> On Thu, Feb 12, 2015 at 9:50 PM, Eduardo' Vela" <Nava> <evn@google.com>
>> wrote:
>> > Hmm, I think I didn't explain myself correctly.
>>
>> I thought you did.
>>
>>
>> > The concern is that, say, if EPR was implemented, sites like Facebook
>> or the
>> > WSJ could block Google, or Bing from linking to their site.
>> >
>> > Other concern is that, for example, Bugzilla or github could break
>> links in
>> > a way that I couldn't bookmark them or store them in delicio.us.
>> >
>> > Other concern is that, for example, Yahoo News could be linked to from
>> Bing
>> > but not DuckDuckGo.
>> >
>> > Did I miss any concerns on EPR vs. The Web?
>>
>> Directly linking to "subresources" of an EPR site, presumably.
>>
>>
>> > Which of these concerns is impossible without EPR? Say, with Referrer
>> > checking.
>>
>> As I said, if you implement Referer checking you might end up breaking
>> your own site for a number of users due to weird firewall policies.
>> See past research on that header. I think it was done by Adam Barth.
>>
>>
>> > Is the concern that EPR will make this practice mainstream?
>>
>> It's a concern, certainly.
>>
>>
>> --
>> https://annevankesteren.nl/
>>
>