W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Tony Arcieri <bascule@gmail.com>
Date: Mon, 31 Aug 2015 22:16:08 -0700
Message-ID: <CAHOTMVL32BZopZkOL6B4HfEaG08t0bPZ+4NnZDOMEbvY8+=Ehg@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Aug 31, 2015 at 9:52 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> The reality of the cryptographic technologies WebCrypto hoped to unlock
>> in-browser is they're rarely used,
>>
>
> The is a US-centric view.


And yours is an identity-centric view of the possibilities of web
cryptography ;)

Since neither You nor Google/Microsoft/Apple/Mozilla/Whatever haven't told
> us anything on how *they* think that any number of unrelated merchants
> should/could get access to a client's payment resources on Web, we are
> apparently awaiting "Divine Intervention" :-)


I like the idea of Stripe-style payment widgets. These allow payment tokens
to be provisioned on a particular origin, and payments made via
JS/communicating iframes.

There are obviously a lot of unsolved concerns around this approach,
particularly around things like secure content embedding, phishing,
clickjacking, etc. The Position Observer API proposal looks interesting in
that regard:

https://github.com/slightlyoff/PositionObserver/blob/master/explainer.md

-- 
Tony Arcieri
Received on Tuesday, 1 September 2015 05:16:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC