- From: Charlie Reis <creis@chromium.org>
- Date: Mon, 19 Sep 2016 17:05:59 -0700
- To: "Emily Stark (Dunn)" <estark@google.com>
- Cc: Crispin Cowan <crispin@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, Joel Weinberger <jww@google.com>, Tanvi Vyas <tanvi@mozilla.com>, Nasko Oskov <nasko@chromium.org>
- Message-ID: <CAH+8MBaWZZCJ-SOoPWfeZuJ=z9uGzBfo=oX+sr2r7ndk0zRj1A@mail.gmail.com>
Thanks Emily. I might suggest referencing our "App Isolation: Get the Security of Multiple Browsers with Just One <http://www.charlesreis.com/research/publications/ccs-2011.pdf>" paper in the explainer as well, since that covers some investigation of EPR, process isolation, and doubly keyed storage, and it breaks down what protections you get if you only opt in to some of the mechanisms. Anyway, we do hope to automatically identify some subset of sites that would benefit from process isolation (e.g., that users have signed into or are likely to), but having a hint like this from sites would be nice. I also definitely agree that combining these various types of isolation can have nice properties, if the sites are ok with the consequences (e.g., no authenticated third party widgets like Like buttons, limited deep linking, etc). Charlie On Mon, Sep 19, 2016 at 2:46 PM, Emily Stark (Dunn) <estark@google.com> wrote: > > > On Mon, Sep 19, 2016 at 1:25 PM, Crispin Cowan <crispin@microsoft.com> > wrote: > >> Neat! I’ve wanted something like this for at least six years, but it gets >> stuck on the issue that web devs need to do work to opt into it, and thus >> is likely to suffer low adoption for a long time to come. Worse, the sites >> that really benefit from it (banking) are old and stable, some of the least >> likely to update to whatever the new shiny is in web standards. Thus true >> site isolation (isolate all origins by default) seemed better than >> isolate-me, with the downside that true site isolation is very hard to >> achieve. >> >> >> >> Which leads to a question: does Google see isolate-me as a step towards >> site isolation? Or are you giving up on site isolation and proposing this >> instead? >> > > (I'm adding Charlie and Nasko who are members of the site isolation team > and might have more to say about this.) Definitely we are not giving up on > site isolation by any means! In fact the site isolation team just shipped a > major milestone in M55: isolating extension frames by default ( > https://groups.google.com/a/chromium.org/forum/#!topic/chro > mium-dev/qlI54-dK4Ac). Yay! > > As you suggested, turning on site isolation for every site by default is > definitely the dream, but at the moment it would be prohibitively > resource-intensive. So I see Isolate-Me as a step towards site isolation, > in that the browser can use it as a signal -- maybe one among several > possible signals -- that a site should be isolated in its own process if > possible. > > >> >> >> *From:* Emily Stark (Dunn) [mailto:estark@google.com] >> *Sent:* Friday, September 16, 2016 8:16 AM >> *To:* public-webappsec@w3.org >> *Cc:* Mike West <mkwst@google.com>; Joel Weinberger <jww@google.com>; >> Tanvi Vyas <tanvi@mozilla.com> >> *Subject:* Isolate-Me explainer >> >> >> >> Hi webappsec! Mike, Joel, and I have been discussing an idea for a >> developer facing opt-in to allow highly security- or privacy-sensitive >> sites to be isolated from other origins on the web. >> >> >> >> We wrote up the idea here to explain what we're thinking about, why we >> think it's important, and the major open questions: https://mikewest.gi >> thub.io/isolation/explainer.html >> >> >> >> Please read and comment/criticize/etc. Thoughts welcome, either here in >> this thread or as GitHub issues. Especially interested to hear from Mozilla >> folks as it relates to and is heavily inspired by containers. >> >> >> >> Thanks! >> >> Emily >> > >
Received on Tuesday, 20 September 2016 00:09:11 UTC