Re: A Somewhat Critical View of SOP (Same Origin Policy)

On 2015-09-25 22:31, Alex Russell wrote:
> If by "dead silence" you mean "constructive proposals to bridge the gap" [1], then yes, you're correct,
>
> [1] https://discourse.wicg.io/t/rfc-proposal-for-new-web-payments-api/1100

Thanx Alex,
It is great to see a concrete contribution. Apparently Microsoft is interested as well.

May I take the liberty of commenting a bit on the proposal (as it stands today) with the
subject line and webappsec/web-security as context?

SOP:
The proposal doesn't refer to SOP (there is no security considerations section).
The proposal instead relies on a browser-based mediator UI where the user decides
what is OK and what is not.  Isn't this pretty much what this lengthy debate
really was about in the first place?

UI:
Apple Pay is mentioned.  This system already have a UI which IMO seems to clash
with the idea that browsers should be equipped with payment UIs.

Security:
The proposal claims to add security to the plot by enabling new protocols to the Web.
I would be cautious about such promises.  Even the initial paymentRequest is likely
to be a part of new protocols making browsers subject to constant and fairly
application-specific updates, or alternatively, stall innovation.

Is there another way?  Yes, nuking the browser payment API concepts, and rather
standardize/improve Native Messaging which also have a gazillion of other applications.
The security properties for payments should be fully comparable as far as I can tell.

Cheers,
Anders

>
> On Wed, Sep 23, 2015 at 12:42 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     In my opinion the #1 problem with this discussion is that when you mention
>     things that doesn't match the SOP vision like the fact that Android-, Apple-,
>     and Samsung-Pay doesn't work on the Web, dead silence is all you get.
>
>     -- Anders
>
>

Received on Saturday, 26 September 2015 01:57:03 UTC