Re: Isolate-Me explainer

On Mon, Sep 19, 2016 at 5:05 PM, Charlie Reis <creis@chromium.org> wrote:

> Thanks Emily.  I might suggest referencing our "App Isolation: Get the
> Security of Multiple Browsers with Just One
> <http://www.charlesreis.com/research/publications/ccs-2011.pdf>" paper in
> the explainer as well, since that covers some investigation of EPR, process
> isolation, and doubly keyed storage, and it breaks down what protections
> you get if you only opt in to some of the mechanisms.
>

Thanks for the pointer, Charlie. I didn't realize that paper was so very
closely related. I'm reading it now so I can summarize it accurately and
then will update the doc with a reference.


>
> Anyway, we do hope to automatically identify some subset of sites that
> would benefit from process isolation (e.g., that users have signed into or
> are likely to), but having a hint like this from sites would be nice.
>
> I also definitely agree that combining these various types of isolation
> can have nice properties, if the sites are ok with the consequences (e.g.,
> no authenticated third party widgets like Like buttons, limited deep
> linking, etc).
>
> Charlie
>
>
> On Mon, Sep 19, 2016 at 2:46 PM, Emily Stark (Dunn) <estark@google.com>
> wrote:
>
>>
>>
>> On Mon, Sep 19, 2016 at 1:25 PM, Crispin Cowan <crispin@microsoft.com>
>> wrote:
>>
>>> Neat! I’ve wanted something like this for at least six years, but it
>>> gets stuck on the issue that web devs need to do work to opt into it, and
>>> thus is likely to suffer low adoption for a long time to come. Worse, the
>>> sites that really benefit from it (banking) are old and stable, some of the
>>> least likely to update to whatever the new shiny is in web standards. Thus
>>> true site isolation (isolate all origins by default) seemed better than
>>> isolate-me, with the downside that true site isolation is very hard to
>>> achieve.
>>>
>>>
>>>
>>> Which leads to a question: does Google see isolate-me as a step towards
>>> site isolation? Or are you giving up on site isolation and proposing this
>>> instead?
>>>
>>
>> (I'm adding Charlie and Nasko who are members of the site isolation team
>> and might have more to say about this.) Definitely we are not giving up on
>> site isolation by any means! In fact the site isolation team just shipped a
>> major milestone in M55: isolating extension frames by default (
>> https://groups.google.com/a/chromium.org/forum/#!topic/chro
>> mium-dev/qlI54-dK4Ac). Yay!
>>
>> As you suggested, turning on site isolation for every site by default is
>> definitely the dream, but at the moment it would be prohibitively
>> resource-intensive. So I see Isolate-Me as a step towards site isolation,
>> in that the browser can use it as a signal -- maybe one among several
>> possible signals -- that a site should be isolated in its own process if
>> possible.
>>
>>
>>>
>>>
>>> *From:* Emily Stark (Dunn) [mailto:estark@google.com]
>>> *Sent:* Friday, September 16, 2016 8:16 AM
>>> *To:* public-webappsec@w3.org
>>> *Cc:* Mike West <mkwst@google.com>; Joel Weinberger <jww@google.com>;
>>> Tanvi Vyas <tanvi@mozilla.com>
>>> *Subject:* Isolate-Me explainer
>>>
>>>
>>>
>>> Hi webappsec! Mike, Joel, and I have been discussing an idea for a
>>> developer facing opt-in to allow highly security- or privacy-sensitive
>>> sites to be isolated from other origins on the web.
>>>
>>>
>>>
>>> We wrote up the idea here to explain what we're thinking about, why we
>>> think it's important, and the major open questions: https://mikewest.gi
>>> thub.io/isolation/explainer.html
>>>
>>>
>>>
>>> Please read and comment/criticize/etc. Thoughts welcome, either here in
>>> this thread or as GitHub issues. Especially interested to hear from Mozilla
>>> folks as it relates to and is heavily inspired by containers.
>>>
>>>
>>>
>>> Thanks!
>>>
>>> Emily
>>>
>>
>>
>