W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Wed, 23 Sep 2015 12:18:50 -0700
Message-ID: <CANh-dXnuFjNgYdSXV5xtVR5-_JOJasX0QgtqTm5Xnd3kMdBoFg@mail.gmail.com>
To: Dave Longley <dlongley@digitalbazaar.com>
Cc: Harry Halpin <hhalpin@w3.org>, Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>, public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
On Wed, Sep 23, 2015 at 9:04 AM, Dave Longley
<dlongley@digitalbazaar.com> wrote:
> On 09/23/2015 09:57 AM, Harry Halpin wrote:
>>
>> On 09/23/2015 03:42 AM, Anders Rundgren wrote:
>>>
>>> In my opinion the #1 problem with this discussion is that when you
>>> mention
>>> things that doesn't match the SOP vision like the fact that Android-,
>>> Apple-,
>>> and Samsung-Pay doesn't work on the Web, dead silence is all you get.
>>
>>
>> Since the same origin policy is the primary meaningful security boundary
>> on the Web, I expect for most people interested in security and privacy
>> that emails that dismiss SOP are generally put in the spam folder.
>>
>> I do understand some people are interested in creating, for example,
>> 'unique identifier' across all websites such as in the form of a X.509
>> certificate. These sort of  totalitarian identity scheme...
>
>
> "dismissing"? "totalitarian"? These words have meanings that don't seem to
> line up with their usage here, but their connotations do yield negative
> visceral reactions. Is the goal discord or understanding?
>
> I've really only been following this thread from the sidelines, but who has
> dismissed SOP? Who has shown interest in creating a 'unique identifier'
> across all websites? Are you referencing a different discussion?

He might be referring to
https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/JN-v2FEmBgAJ,
which expresses a goal to "allow[] you to use one certificate to
authenticate to all servers".

Jeffrey
Received on Wednesday, 23 September 2015 19:19:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC