W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

Re: [Proposal]: Set origin-wide policies via a manifest.

From: Mike West <mkwst@google.com>
Date: Tue, 26 Jul 2016 19:33:50 +0200
Message-ID: <CAKXHy=fZeAgby3=9RDigmJvHD+-Lqmg8guh9q5k7gApHqpy8VQ@mail.gmail.com>
To: "Mike O'Neill" <michael.oneill@baycloud.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Mike!

On Tue, Jul 26, 2016 at 7:00 PM, Mike O'Neill <michael.oneill@baycloud.com>
wrote:
>
> This is good, but it would help mitigate the privacy risk if the
> Origin-Policy request header value was limited in entropy, i.e. some small
> number of characters.


How would this help? The tracking capability exposed is exactly the same as
cookies (less, if you want to be nit-picky, since the character set is more
limited). Reducing the entropy contained in this key while leaving the
entropy contained in those keys over there the same is not a net positive.


> How many versions of the origin manifest are there likely to be?


Not many. However, one of the ideas floated in
https://github.com/mikewest/origin-policy/issues/1 was to enforce integrity
checks on the manifest by using it's hash as the name. That seems like a
pretty good idea to me.


> Relying on users periodically deleting their entire cookie store to stop
> fingerprinting is not good.
>

If the user isn't wiping the cookies stored for an origin, fingerprinting
is unnecessary, because the cookies are right there.

"entire" jumped out at me, though: perhaps the language wasn't clear?
https://github.com/mikewest/origin-policy/commit/c5ed6d6f2e96e997d0bcf0d9280a978b35241865
is closer to what I thought I wrote.

-mike
Received on Tuesday, 26 July 2016 17:34:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC