W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

SOP wiki was: A Somewhat Critical View of SOP (Same Origin Policy)

From: Henry Story <henry.story@co-operating.systems>
Date: Mon, 28 Sep 2015 12:15:28 +0100
Cc: Dave Longley Longley <dlongley@digitalbazaar.com>, Dave Raggett <dsr@w3.org>, Carvalho Melvin <melvincarvalho@gmail.com>, Martin Paljak <martin.paljak@ria.ee>, "public-web-security@w3.org" <public-web-security@w3.org>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <AAEFF564-1547-4103-9282-D901BD3BAF76@co-operating.systems>
To: GALINDO Virginie <Virginie.GALINDO@gemalto.com>

> On 25 Sep 2015, at 15:38, GALINDO Virginie <Virginie.GALINDO@gemalto.com> wrote:
> 
> Thanks for completing your use case on the wiki dedicated to that topic, guys !
> https://www.w3.org/Security/wiki/IG/a_view_on_SOP
> 
> Regards,
> Virginie

Thanks Virginie for the great idea of putting up this wiki. Mailing list
discussions are very educational if one follows them with great care, but
it is very difficult for people who jump in from the outside in mid conversation
or who are following from the sidelines to understand what if anything has 
been gained by the discussion.

I have brought together a lot of what I have learnt about SOP with many
references to IETF and W3C specs, pointers to new evolutions in the webapp(sec)
groups, and discussion with community members on the wiki

  https://www.w3.org/Security/wiki/IG/a_view_on_SOP

This weekend I re-arranged the wiki into three pieces

1. Conceptual map : just to give an idea how work from privacy, identity,
security, logic, and other areas bear on the issue. There are still pieces
to be filled out here.

2. Exceptions to SOP:

  the more I look around the more I have found well documented and justified
exceptions to narrow understandings of SOP. This should give us some good raw
material for a later exploration of a theory of SOP.

3. Implications for Future standards.

  A third section on who SOP is bringing up issues for future requirements such as 
WebPayments.

4. Theory of SOP

  Here I think we'll be able to bring together an extended theory of SOP
that makes sense of the exceptions, whilst showing how these tie into other elements of the conceptual spaces. My feeling is that a bit of work  in some very initial modal logic of belief contexts would help give a secure logical foundation. 

I think this is taking shape. Of course there will be errors, improvements. It is not
complete, so feedback is welcome.

Henry
Received on Monday, 28 September 2015 11:16:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC