W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: Eduardo' Vela\ <evn@google.com>
Date: Fri, 13 Feb 2015 12:13:29 +0100
Message-ID: <CAFswPa8XoGnDFyLKF4jAwvvKNV1R-hPJZacqZZHFFNrnuc78Fg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, David Ross <drx@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I spent some time trying to make a poor-man EPR with ServiceWorkers and it
didn't work. Since ServiceWorkers dont get invoked on resource requests
(XHR, <img>, etc) then one can't use them to protect against CSRF.

That said, ServiceWorkers can be used effectively to "break linking in the
web". Since it's already possible to "break linking on the web" with
ServiceWorkers, we need to either fix SWs, or allow EPR.

On Fri, Feb 13, 2015 at 4:07 AM, Brad Hill <hillbrad@gmail.com> wrote:

> Manageability of security and attack surface reduction for web
> applications are the top-line charter goals for this WG and have been since
> its inception.
>
> It has, for example, always been possible to write applications without
> XSS vulnerabilities, even before CSP.   To paraphrase Mike West - writing a
> secure application is easy: you just have to be perfect.  Don't make a
> mistake, ever.
>
> We would like to provide tools which make authoring and operating secure
> applications more practical.  Experience has shown that declarative policy
> mechanisms which reduce attack surface are among the most useful tools we
> can offer in this respect.  EPR has the particular benefit of being simple
> and low-risk to apply to legacy applications, an area where experience has
> shown CSP to be somewhat lacking.
>
> I don't think EPR is more important than preserving linking on the web,
> but I don't think it's useless, either.  I guess I feel like the things
> driving each are different.  If sites think that deep linking is
> economically harmful to them, they are already motivated to  aggressively
> deploy existing tools and techniques to attack it.  Adding a slightly
> cheaper way to accomplish some of the same goals won't change the outcomes
> much for that population.  But security budgets are more limited, and have
> to be spent defending against threats which may not materialize, the costs
> of which cannot be easily measured.  It's much more important that tools
> for legitimate defense be affordable and manageable.
>
> On Thu Feb 12 2015 at 5:16:07 PM Bjoern Hoehrmann <derhoermi@gmx.net>
> wrote:
>
>> * David Ross wrote:
>> >That being said, I think the criticism is a bit unfair.  EPR is an opt-in
>> >feature with an intended audience largely separate from those who might
>> >wish to prevent deep linking on their web sites.  I don't see any reason
>> to
>> >believe that we will see excessive and inconsiderate application of EPR
>> >leading to linkability issues on the web at large.  If a publisher is
>> >determined to prevent deep linking there are plenty of ways for them to
>> do
>> >that today, whether they choose to make use of the web platform or not.
>>
>> If "EPR" is redundant with existing features, why is it being proposed?
>> --
>> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
>> D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
>>  Available for hire in Berlin (early 2015)  · http://www.websitedev.de/
>>
>>
Received on Friday, 13 February 2015 11:14:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC