W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2017

Re: RFC: Site Affiliation

From: Oda, Terri <terri.oda@intel.com>
Date: Mon, 24 Apr 2017 10:03:35 -0700
Message-ID: <CACoC0R-j8h47dCTK1GEyevg1XKHXRgJg45NPiE50o5M49bHZoA@mail.gmail.com>
To: Jochen Eisinger <eisinger@google.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, John Wilander <wilander@apple.com>
Back when I was an academic, we wrote a paper on doing mutual affiliation
declrations.  Here's the html tech report version:
https://www.ccsl.carleton.ca/software/soma/soma-techreport/ and the final
version that appeared in  Computer and Communications Security (CCS '08):
http://terri.toybox.ca/doc/academic/oda-ccs-08.pdf

I still think it's a useful idea.  Our data at the time (obviously now a
little outdated) showed that managing such a list was pretty doable for
most sites, since on average they made use of data from 5.45 sites with a
standard deviation of 5.3, so most sites would have a list of 11 or less,
although we did find one that had around 45 and it's possible that the
average numbers have gone up since the research was done. But it's probably
still not untenable to create and maintain manifests for this.

The downside was the method we used for the implementation required another
round trip request to check those manifests, and only loaded content once
they were read, so it did cause a noticeable slowdown in practice.  If we
tied it in to something we're already checking, though, this might not as
big of an issue as it was in 2008.






On Fri, Apr 21, 2017 at 10:57 AM, Jochen Eisinger <eisinger@google.com>
wrote:

> Right, all involved sites would have to agree on the exact set of involved
> sites.
>
> On Fri, Apr 21, 2017 at 7:54 PM Daniel Veditz <dveditz@mozilla.com> wrote:
>
>> On Fri, Apr 21, 2017 at 7:44 AM, Jochen Eisinger <eisinger@google.com>
>> wrote:
>>
>>> Android allows for associating an app with one or more sites[1], and so
>>> does iOS[2].
>>>
>> ​ [...]
>>>
>>
>>> Adding this information to the web manifest, or as part of an origin
>>> policy comes to mind.
>>>
>>
>> ​If it's not a mutual opt-in by all sites involved then we're opening a
>> huge hole. Asking the user isn't enough because users are easily fooled​.
>>
>> -
>> ​Dan Veditz​
>>
>>
Received on Monday, 24 April 2017 17:04:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC