W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: Isolate-Me explainer

From: Craig Francis <craig.francis@gmail.com>
Date: Tue, 20 Sep 2016 09:48:23 +0100
Cc: Mike West <mkwst@google.com>, Joel Weinberger <jww@google.com>, Tanvi Vyas <tanvi@mozilla.com>, "Emily Stark (Dunn)" <estark@google.com>
Message-Id: <E21131F3-98A9-49A4-9F10-C0D0CFF77245@gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>

As a website developer, Isolate-Me would be very useful for a couple of the websites I work on.

Overall it sounds like it would be very easy to implement, my only concern is links in to the website.

I appreciate that reflected XSS/CSRF is a major issue, so I think you are correct to block direct navigation.

However I frequently use links to help users (e.g. bookmarks to specific features, or to support an explanation of a new feature).

In the Open Questions section you mention "we could transform navigations into a navigation to the root URL with some sort of message to allow the site to decide whether the navigation should go through".

May I suggest that the message is instead a header to simply say what the original URL was?

This would allow the website developer to do a simple 302 redirect, if they consider it safe to do so.


> On 16 Sep 2016, at 16:15, Emily Stark (Dunn) <estark@google.com> wrote:
> Hi webappsec! Mike, Joel, and I have been discussing an idea for a developer facing opt-in to allow highly security- or privacy-sensitive sites to be isolated from other origins on the web.
> We wrote up the idea here to explain what we're thinking about, why we think it's important, and the major open questions: https://mikewest.github.io/isolation/explainer.html <https://mikewest.github.io/isolation/explainer.html>
> Please read and comment/criticize/etc. Thoughts welcome, either here in this thread or as GitHub issues. Especially interested to hear from Mozilla folks as it relates to and is heavily inspired by containers.
> Thanks!
> Emily

Received on Tuesday, 20 September 2016 08:48:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC