W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Wed, 23 Sep 2015 12:04:05 -0400
Message-ID: <5602CD75.9020904@digitalbazaar.com>
To: Harry Halpin <hhalpin@w3.org>, Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>
CC: public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
On 09/23/2015 09:57 AM, Harry Halpin wrote:
> On 09/23/2015 03:42 AM, Anders Rundgren wrote:
>> In my opinion the #1 problem with this discussion is that when you
>> mention
>> things that doesn't match the SOP vision like the fact that Android-,
>> Apple-,
>> and Samsung-Pay doesn't work on the Web, dead silence is all you get.
> Since the same origin policy is the primary meaningful security boundary
> on the Web, I expect for most people interested in security and privacy
> that emails that dismiss SOP are generally put in the spam folder.
> I do understand some people are interested in creating, for example,
> 'unique identifier' across all websites such as in the form of a X.509
> certificate. These sort of  totalitarian identity scheme...

"dismissing"? "totalitarian"? These words have meanings that don't seem 
to line up with their usage here, but their connotations do yield 
negative visceral reactions. Is the goal discord or understanding?

I've really only been following this thread from the sidelines, but who 
has dismissed SOP? Who has shown interest in creating a 'unique 
identifier' across all websites? Are you referencing a different discussion?

I have seen more subtle arguments put forth than what you suggest. Even 
advocates of using an email address from a super provider as a 'unique 
identifier' don't suggest it be done across *all* websites.

It is considered good practice to avoid setting up strawmen arguments or 
those that can't be differentiated from such because of a lack of 
context. Strawmen are easy to create and fun to knock down, but they 
don't advance a discussion in any substantive way. You can't demonstrate 
that an argument is lacking in substance by attacking a different argument.

It's also recommended that we be fairly slow in convincing ourselves 
that we have a good grasp on the measure of what other people 
understand. Miscommunication is commonplace on the Internet. It takes a 
while to gather enough information to really understand what another 
person is thinking. If you don't have that time, that's fine, don't 
engage. I'm on board with that aspect of your argument.

However, I would consider it a mistake to dismiss (proper usage) your 
email on the basis that you had some basic semantic and grammatical 
errors. A few mistakes, trivial or otherwise, are not sufficient 
information for one to judge the totality of another's understanding of 
a subject. Telling someone who makes a mistake that have to come back 
after they've completed a task that cannot possibly eliminate all 
mistakes is just a different way of expressing the halting problem.

Dave Longley
Digital Bazaar, Inc.
Received on Wednesday, 23 September 2015 16:04:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC