W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Rigo Wenning <rigo@w3.org>
Date: Tue, 15 Sep 2015 21:53:21 +0200
To: public-web-security@w3.org
Cc: Tony Arcieri <bascule@gmail.com>, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
Message-ID: <6903931.Grf0Da5LQW@hegel>
On Monday 14 September 2015 8:43:20 Tony Arcieri wrote:
> > Coming on with the SOP as a drop dead argument against hardware security
> 
> SOP doesn't work with PKCS#11-style APIs. FIDO shows what's possible with
> hardware tokens that respect the SOP, though.

Obviously, because they all define their own scope. If you set one scope 
absolute (e.g. SOP), the other doesn't fit. This isn't exactly magic. The 
profound mistake is to believe that SOP is the only security on the web. I can 
well imagine privacy+identity-management+security of transactions instead of 
origins. This reduces greatly my trust exposure. It is just a totally 
different way. And of course it can't apply globalalliance 1/1 as I imagine 
the definition of scope is not compatible, right. But SOP is also the wrong 
knife to cut that bread. Because the security here is not defined by the SOP, 
but by your identity provider that crosses some origins. Otherwise it wouldn't 
work. 

 --Rigo
Received on Tuesday, 15 September 2015 19:53:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC