Re: RFC: Site Affiliation from Jochen Eisinger on 2017-04-24 (public-webappsec@w3.org from April 2017)

From: Jochen Eisinger <eisinger@google.com>
Date: Mon, 24 Apr 2017 19:43:51 +0000
To: "Oda, Terri" <terri.oda@intel.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, John Wilander <wilander@apple.com>
Message-ID: <CALjhuic1B5rTycAuxWMc=TGu9GCMSYOEqup1ADW0OkAtyegnQA@mail.gmail.com>

Interesting read, thanks for sharing!

I think one difference here is that we don't need to block the initial page
load on loading all the other manifests, but it can happen concurrently, so
there'd hopefully be no slowdown.

On Mon, Apr 24, 2017 at 7:03 PM Oda, Terri <terri.oda@intel.com> wrote:

> Back when I was an academic, we wrote a paper on doing mutual affiliation
> declrations.  Here's the html tech report version:
> https://www.ccsl.carleton.ca/software/soma/soma-techreport/ and the final
> version that appeared in  Computer and Communications Security (CCS '08):
> http://terri.toybox.ca/doc/academic/oda-ccs-08.pdf
>
> I still think it's a useful idea.  Our data at the time (obviously now a
> little outdated) showed that managing such a list was pretty doable for
> most sites, since on average they made use of data from 5.45 sites with a
> standard deviation of 5.3, so most sites would have a list of 11 or less,
> although we did find one that had around 45 and it's possible that the
> average numbers have gone up since the research was done. But it's probably
> still not untenable to create and maintain manifests for this.
>
> The downside was the method we used for the implementation required
> another round trip request to check those manifests, and only loaded
> content once they were read, so it did cause a noticeable slowdown in
> practice.  If we tied it in to something we're already checking, though,
> this might not as big of an issue as it was in 2008.
>
>
>
>
>
>
> On Fri, Apr 21, 2017 at 10:57 AM, Jochen Eisinger <eisinger@google.com>
> wrote:
>
>> Right, all involved sites would have to agree on the exact set of
>> involved sites.
>>
>> On Fri, Apr 21, 2017 at 7:54 PM Daniel Veditz <dveditz@mozilla.com>
>> wrote:
>>
>>> On Fri, Apr 21, 2017 at 7:44 AM, Jochen Eisinger <eisinger@google.com>
>>> wrote:
>>>
>>>> Android allows for associating an app with one or more sites[1], and so
>>>> does iOS[2].
>>>>
>>>  [...]
>>>>
>>>
>>>> Adding this information to the web manifest, or as part of an origin
>>>> policy comes to mind.
>>>>
>>>
>>> If it's not a mutual opt-in by all sites involved then we're opening a
>>> huge hole. Asking the user isn't enough because users are easily fooled.
>>>
>>> -
>>> Dan Veditz
>>>
>>>
>

Received on Monday, 24 April 2017 19:44:36 UTC