W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Harry Halpin <hhalpin@w3.org>
Date: Wed, 23 Sep 2015 09:57:56 -0400
Message-ID: <5602AFE4.5060702@w3.org>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>
CC: public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
On 09/23/2015 03:42 AM, Anders Rundgren wrote:
> In my opinion the #1 problem with this discussion is that when you
> mention
> things that doesn't match the SOP vision like the fact that Android-,
> Apple-,
> and Samsung-Pay doesn't work on the Web, dead silence is all you get.

Since the same origin policy is the primary meaningful security boundary
on the Web, I expect for most people interested in security and privacy
that emails that dismiss SOP are generally put in the spam folder.

I do understand some people are interested in creating, for example,
'unique identifier' across all websites such as in the form of a X.509
certificate. These sort of  totalitarian identity scheme (often based on
broken crypto, such as <keygen>) will likely implemented across all
browsers, as would any payment scheme that makes the same broken
assumptions. Supporters of such positions seem to have a lack of
understanding of the modern Web and/or basic cryptography and while to
some extent basic education can be done on Web-related mailing lists, I
doubt many people find it is a productive use of their time given the
large amount of high quality online courses out there and relatively
important work that has to be done in terms of Web standards.

In particular, it is likely more productive for various non-SOP schemes
to find a way to adopt to SOP in a principled manner and so maintain
security and privacy properties. Payment schemes, identity schemes, and
the rest should and can do this.

            cheers,
              harry

>
> -- Anders
>
>
Received on Wednesday, 23 September 2015 13:58:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC