W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 1 Sep 2015 07:29:06 +0200
To: Tony Arcieri <bascule@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <55E537A2.4060205@gmail.com>
On 2015-09-01 07:16, Tony Arcieri wrote:
<snip>
>
>
>     Since neither You nor Google/Microsoft/Apple/Mozilla/Whatever haven't told us anything on how *they* think that any number of unrelated merchants should/could get access to a client's payment resources on Web, we are apparently awaiting "Divine Intervention" :-)
>
>
> I like the idea of Stripe-style payment widgets. These allow payment tokens to be provisioned on a particular origin, and payments made via JS/communicating iframes.

Stripe is apparently hoping to become a super-provider.  Unless they succeed with that, their solution is dead in water.
That's the core I (apparently in vain) tried to outline in my original posting.

Anders

>
> There are obviously a lot of unsolved concerns around this approach, particularly around things like secure content embedding, phishing, clickjacking, etc. The Position Observer API proposal looks interesting in that regard:
>
> https://github.com/slightlyoff/PositionObserver/blob/master/explainer.md
>
> -- 
> Tony Arcieri
Received on Tuesday, 1 September 2015 05:29:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC