W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 14 Sep 2015 19:08:49 +0200
To: Henry Story <henry.story@co-operating.systems>
Cc: public-web-security@w3.org, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
Message-ID: <12224619.VvVKkCde7X@hegel>
Henry, 

On Monday 14 September 2015 16:10:44 Henry Story wrote:
> Just a note that there is a parallel discussion happening 
> on the TAG mailing list arguing about the relation between
> SOP and User Control, that is: between a technical and a legal
> concept.
> 
> My contributions there go in the direction of what Rigo is arguing
> here, that is that these are seperate concepts, that cannot be applied
> willy nilly without careful argument. See:
>  https://lists.w3.org/Archives/Public/www-tag/2015Sep/0033.html
>  https://lists.w3.org/Archives/Public/www-tag/2015Sep/0038.html
> 
> But the whole discussion this September on the TAG is really revolving
> around this topic.

thanks for the cross-linking. The same argumentation has already be used 
during the rechartering of the WebCrypto Group. The privacy argument used by 
people from one of the largest origins is funny at best. If I use my token 
with A and I use my token with B, A and B have to communicate to find out that 
I used them both. 

If I use my super large origin to have analytics here and advertisement there 
and social networking over there, all the identified data is collected by the 
super same origin. This makes the privacy argument in this discussion so 
interesting. Especially as it gives the big players that are already close to 
monopoly yet another competitive advantage. 

After having read the threat, I persist in believing that Henry and Tim talk 
about apples (their's :) and Alex and others are talking about oranges. This 
profound split in philosophy makes dialog and understanding so hard (If it is 
at all wanted)

Let me explain: 

Henry uses his computer and is a user on his machine/mobile. It happens that 
he accidentally uses a social network or some javascript cloud word processor. 
His browser mediates his user on his machine to the world. It is a tool to use 
services and to protect from those services. 

Alex uses his computer as a frontend to his cloud-identity. His user is his 
account on the social networking service that is integrated with his word 
processor and his document store. His browser is a necessary thing on some 
device so he can use his service. The browser is something that shouldn't 
create more risk for the user on his account. 

Once you think account-centric and super-service, it it starts to make sense. 
You don't want to have interference from third parties or data leaks or 
vulnerabilities. You trust the service, not the browser. 

Henry doesn't necessarily trust the service or the network inbetween. He only 
wants to communicate with a specific counterpart. To do that, he needs to have 
a secret/means to work without being watched by the server. 

Both models come up again and again, e.g. in WebRTC (exposing IP address 
discussion). Can both co-exist? I think yes, others think no. 

For those who think "yes", the proposition of HaSec makes sense:
http://www.w3.org/2015/hasec/2015-hasec-charter.html
For those thinking no, this is not inline with web architecture as it creates 
another dimension that is hard to capture in a service account. 

Feel free to forward to the TAG if you think it makes sense. 

 --Rigo
Received on Monday, 14 September 2015 17:09:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC