W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Wed, 23 Sep 2015 12:53:59 -0300
Message-ID: <CA+eFz_+PSEaRorXiShaeammAzbaOap=o=BEW4Fp1MQWG_E---Q@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Harry Halpin <hhalpin@w3.org>, Alex Russell <slightlyoff@google.com>, public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
I must confess to not following this thread in great detail but I have
noticed regular reference to the Web Payments activity and yet none of the
activity's mailing lists are copied to invite comment.

This last series of mails suggests that the work being done in the payments
activity is doomed to fail because it will not be able to follow SOP
security principals.

Am I understanding the current position of the SOP critics correctly?

If so, can we get a concise explanation as what is being proposed in the
current draft of the Web Payments WG charter that these critics believe
cannot be implemented in an SOP compliant manner?

On 23 September 2015 at 12:18, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2015-09-23 15:57, Harry Halpin wrote:
>
>> On 09/23/2015 03:42 AM, Anders Rundgren wrote:
>>
>>> In my opinion the #1 problem with this discussion is that when you
>>> mention things that doesn't match the SOP vision like the fact that
>>> Android-,
>>> Apple-, and Samsung-Pay doesn't work on the Web, dead silence is all you
>>> get.
>>>
>>
> <ad hominem attacks>
>>
> > </ad hominem attacks>
>
> In particular, it is likely more productive for various non-SOP schemes
>> to find a way to adopt to SOP in a principled manner and so maintain
>> security and privacy properties. Payment schemes, identity schemes, and
>> the rest should and can do this.
>>
>
> This topic has never been discussed in for example:
> http://www.w3.org/Payments/IG/
>
> Maybe Jeff should take down the flag
> http://www.w3.org/2015/01/banker_payments.pdf
> before it gets too embarrassing?
>
> Anders
>
>
>
Received on Wednesday, 23 September 2015 15:54:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC