W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

RE: [Proposal]: Set origin-wide policies via a manifest.

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 28 Jul 2016 13:58:22 +0100
To: "'Mike West'" <mkwst@google.com>, "'Brad Hill'" <hillbrad@gmail.com>, "'Patrick Toomey'" <patrick.toomey@github.com>
Cc: "'Anne van Kesteren'" <annevk@annevk.nl>, "'Joel Weinberger'" <jww@google.com>, "'Devdatta Akhawe'" <dev.akhawe@gmail.com>, <public-webappsec@w3.org>
Message-ID: <3cfb01d1e8cf$b97f3150$2c7d93f0$@baycloud.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


2) Another smart person at FB points out that the benefit of having the client send which version it is currently enforcing for the domain is that you can avoid having to do an H2 push for every request to avoid blocking.  Seems like a big deal, so maybe the "cookie-like" semantics are a big win, after all.

Hrm. That's fair. The client would be able to cancel the push, but that's another roundtrip, and avoiding it would be ideal.

How about a compromise: we send the current version up in the header, we tie it to cookies in terms of clearing behavior, and we also send a static advertisement of the feature if the user agent wouldn't send cookies with a request.

That is, if a user has enabled third-party cookie blocking, then the request generated from `<iframe src="https://not-this-origin.test/`></iframe>` would contain `Origin-Policy: 1` rather than `Origin-Policy: "whatever"`. That should limit the risks of the advertisement to being strictly lower than cookies, while enabling the performance improvements for those servers to which a user would send cookies anyway.

Giving a privacy aware user potentially worse performance is problematic, though I expect it would be rare. But this still suffers from the transparency argument, how does the user know that an origin has made the Origin-Policy response have a  UID in it. An alternative maybe to use the cookies. If the cookies are present (not blocked) then one of them could be Cookie: __Origin-Policy: I-want-this-one then the server sees that and supplies that version along with its hash in the request header. The user is no worse off privacy wise because they can use the browser UI to see what’s happening, and there hasn’t been yet another possible fingerprint vector created.

mikeo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using gpg4o v3.5.54.6734 - http://www.gpg4o.com/
Charset: utf-8

iQIcBAEBAgAGBQJXmgFtAAoJEOX5SQClVeMPjzoP/0XQONrNPgqvjshn64mHy3Sx
up/4Ar4CJVvdUQP8HDBgEY2o6W85FjqkiRKKbG9a+PskI2E3U/1A83gxh5QKA0mX
gecEK9zqCQ6jcUJzZxr0pX4LGJN9DpczNAhtVVFEGgMDsXBv/t6VPKHNeczJmGXx
7J2k8C980Cq8FGipG9ITICQOxdeudDIME/WfxmGzQWsLldqlpibSvg5Ha82aH340
X9lIphwdQwZ4DMC19qZQ6m62FEvCePZvHzXTGkPUiTSwGmaUPJBsdsT86PwigM9f
PRy9RlRTakgFXyJIAYGC2wukQMPjvCfiWfrvSXb16bDSQNt0+cJT4aJh2nKOzFha
z74tmzQjWST9FJCkU8jdYlfp5o+U5Kk5DftfGNs2XmWVXokyYbpjH6NEivUt3FlS
GwXQA7prE0vxf52n1LkdqDfJQLVlz+qdmuANqB5hJhSGA60xpvY7E0BmPjPE/36H
YwGxB+6iYlMFQzr2YFjaUR++AjL2BSqp0s0cuWLUJ/WGOkKzGuo8YBI0Pq/EMu+e
gOFN39v//WBmEJLpREKpVKUXosY2joqFrLK7PKwjcUemb231GUbjFUdEudcgigeC
+thQ6J3Vqgq/+hstgutJAj4mFSx9xAnBCKCIldPYmDrrA4O2seZ32RQ5HFgfQy2T
HJlckeG1JrMlHuBWwFeT
=4Fy3
-----END PGP SIGNATURE-----
Received on Thursday, 28 July 2016 12:59:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC