W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Henry Story <henry.story@co-operating.systems>
Date: Mon, 14 Sep 2015 16:10:44 +0100
Cc: public-web-security@w3.org, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
Message-Id: <1D184713-8FD3-4150-B06F-4174842CDD6E@co-operating.systems>
To: Rigo Wenning <rigo@w3.org>


> On 14 Sep 2015, at 12:57, Rigo Wenning <rigo@w3.org> wrote:
> 
> On Saturday 29 August 2015 12:23:30 Mike O'Neill wrote:
>> Yes, a single legal entity (like a company) can control several origins, and
>> a single origin can be controlled by many entities (via subdomains). The
>> SOP needs to be re-enforced by a Single Entity Policy, i.e. by secure
>> declaration of what legal entity manages a subdomain or domain (or set of
>> them)
> 
> This is just calling for large entities being able to control mulit-site 
> services. To require SOP being tied to the legal structure is not a solution. 
> It looks compelling only on a first glance and evaporates when talking about 
> groups of legal persons that are dependent. 
> 
> I'm rather with Anders here. I don't think the SOP argument has anything to do 
> with the discussion about securing things by hardware. If SOP is the only 
> possible scope in your head, we have a problem anyway, Houston...
> 
> So I think Anders' message should serve to start the scoping discussion. P.ex. 
> I do NOT want to scope something for the same origin, but for "this 
> transaction". Coming on with the SOP as a drop dead argument against hardware 
> security and TEE is doing the apples and oranges game. Saying an apple is not 
> a good orange is not really helpful. 
> 
> --Rigo

Just a note that there is a parallel discussion happening 
on the TAG mailing list arguing about the relation between
SOP and User Control, that is: between a technical and a legal
concept.

My contributions there go in the direction of what Rigo is arguing
here, that is that these are seperate concepts, that cannot be applied
willy nilly without careful argument. See:
 https://lists.w3.org/Archives/Public/www-tag/2015Sep/0033.html
 https://lists.w3.org/Archives/Public/www-tag/2015Sep/0038.html

But the whole discussion this September on the TAG is really revolving
around this topic.

	Henry
Received on Monday, 14 September 2015 15:11:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC