W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC to publish FPWD of CSP Pinning; deadline Feb. 9th

From: Mike West <mkwst@google.com>
Date: Mon, 16 Feb 2015 21:09:33 +0100
Message-ID: <CAKXHy=eX2-Vr4kbiK=Z=WUwevELg-KEoYK=B-ud-R7ZgHgKYng@mail.gmail.com>
To: Deian Stefan <deian@cs.stanford.edu>, Alex Russell <slightlyoff@google.com>, Jake Archibald <jakearchibald@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Brian Smith <brian@briansmith.org>
Nope. But +Alex again, just in case he has opinions. Also +Jake. Hi, Jake!

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine
Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Mon, Feb 16, 2015 at 9:02 PM, Deian Stefan <deian@cs.stanford.edu> wrote:
>
> Great!
>
> Mike West <mkwst@google.com> writes:
>> Because I don't understand why ServiceWorkers have introduced
>> path-based granularity. As I noted in that thread (and as Brian
>> agreed), the origin makes sense as a security boundary. Pretending
>> that such a boundary exists for paths seems problematic.
>
> I suppose the one case where the path-based approach helps is the
> university scenario, where e.g. stanford.edu/~evil sets an
> overly-restricting CSP that ends up breaking *.stanford.edu.  The right
> thing here is for the admin to disallow setting such headers, but I can
> see that becoming a problem. (But, I guess ~evil can already mess with
> cookies, etc.)
>
> In any case, I agree with sticking to the origin as the security
> boundary, I was more curious to see if you got any info from Alex or
> others on the path stuff off-list.
>
> Deian
Received on Monday, 16 February 2015 20:10:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC