RE: Isolate-Me explainer

Neat! I’ve wanted something like this for at least six years, but it gets stuck on the issue that web devs need to do work to opt into it, and thus is likely to suffer low adoption for a long time to come. Worse, the sites that really benefit from it (banking) are old and stable, some of the least likely to update to whatever the new shiny is in web standards. Thus true site isolation (isolate all origins by default) seemed better than isolate-me, with the downside that true site isolation is very hard to achieve.

Which leads to a question: does Google see isolate-me as a step towards site isolation? Or are you giving up on site isolation and proposing this instead?

From: Emily Stark (Dunn) [mailto:estark@google.com]
Sent: Friday, September 16, 2016 8:16 AM
To: public-webappsec@w3.org
Cc: Mike West <mkwst@google.com>; Joel Weinberger <jww@google.com>; Tanvi Vyas <tanvi@mozilla.com>
Subject: Isolate-Me explainer

Hi webappsec! Mike, Joel, and I have been discussing an idea for a developer facing opt-in to allow highly security- or privacy-sensitive sites to be isolated from other origins on the web.

We wrote up the idea here to explain what we're thinking about, why we think it's important, and the major open questions: https://mikewest.github.io/isolation/explainer.html


Please read and comment/criticize/etc. Thoughts welcome, either here in this thread or as GitHub issues. Especially interested to hear from Mozilla folks as it relates to and is heavily inspired by containers.

Thanks!
Emily

Received on Monday, 19 September 2016 20:25:59 UTC