W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 14 Sep 2015 13:57:19 +0200
To: public-web-security@w3.org
Cc: Mike O'Neill <michael.oneill@baycloud.com>, 'Anders Rundgren' <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
Message-ID: <18732440.9FA7zF5OxV@hegel>
On Saturday 29 August 2015 12:23:30 Mike O'Neill wrote:
> Yes, a single legal entity (like a company) can control several origins, and
> a single origin can be controlled by many entities (via subdomains). The
> SOP needs to be re-enforced by a Single Entity Policy, i.e. by secure
> declaration of what legal entity manages a subdomain or domain (or set of
> them)

This is just calling for large entities being able to control mulit-site 
services. To require SOP being tied to the legal structure is not a solution. 
It looks compelling only on a first glance and evaporates when talking about 
groups of legal persons that are dependent. 

I'm rather with Anders here. I don't think the SOP argument has anything to do 
with the discussion about securing things by hardware. If SOP is the only 
possible scope in your head, we have a problem anyway, Houston...

So I think Anders' message should serve to start the scoping discussion. P.ex. 
I do NOT want to scope something for the same origin, but for "this 
transaction". Coming on with the SOP as a drop dead argument against hardware 
security and TEE is doing the apples and oranges game. Saying an apple is not 
a good orange is not really helpful. 

 --Rigo
Received on Monday, 14 September 2015 11:57:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC