W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 26 Sep 2015 03:56:27 +0200
To: Alex Russell <slightlyoff@google.com>
Cc: public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
Message-ID: <5605FB4B.8060008@gmail.com>
On 2015-09-25 22:31, Alex Russell wrote:
> If by "dead silence" you mean "constructive proposals to bridge the gap" [1], then yes, you're correct,
>
> [1] https://discourse.wicg.io/t/rfc-proposal-for-new-web-payments-api/1100

Thanx Alex,
It is great to see a concrete contribution. Apparently Microsoft is interested as well.

May I take the liberty of commenting a bit on the proposal (as it stands today) with the
subject line and webappsec/web-security as context?

SOP:
The proposal doesn't refer to SOP (there is no security considerations section).
The proposal instead relies on a browser-based mediator UI where the user decides
what is OK and what is not.  Isn't this pretty much what this lengthy debate
really was about in the first place?

UI:
Apple Pay is mentioned.  This system already have a UI which IMO seems to clash
with the idea that browsers should be equipped with payment UIs.

Security:
The proposal claims to add security to the plot by enabling new protocols to the Web.
I would be cautious about such promises.  Even the initial paymentRequest is likely
to be a part of new protocols making browsers subject to constant and fairly
application-specific updates, or alternatively, stall innovation.

Is there another way?  Yes, nuking the browser payment API concepts, and rather
standardize/improve Native Messaging which also have a gazillion of other applications.
The security properties for payments should be fully comparable as far as I can tell.

Cheers,
Anders

>
> On Wed, Sep 23, 2015 at 12:42 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     In my opinion the #1 problem with this discussion is that when you mention
>     things that doesn't match the SOP vision like the fact that Android-, Apple-,
>     and Samsung-Pay doesn't work on the Web, dead silence is all you get.
>
>     -- Anders
>
>
Received on Saturday, 26 September 2015 01:57:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC