Re: RFC: Site Affiliation from Václav Brožek on 2017-04-25 (public-webappsec@w3.org from April 2017)

From: Václav Brožek <vabr@google.com>
Date: Tue, 25 Apr 2017 11:46:48 +0000
To: Jochen Eisinger <eisinger@google.com>, "Oda, Terri" <terri.oda@intel.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, John Wilander <wilander@apple.com>, Vasilii Sukhanov <vasilii@google.com>
Message-ID: <CAN8iHehBXJPhScU8F1uaOdCR1V+6ng7bq2p0x2_SbqFE9=9CSw@mail.gmail.com>

Adding Vasilii in Cc, because he works on affiliation support for Chrome.

Cheers,
Vaclav

On Mon, 24 Apr 2017 at 21:46 Jochen Eisinger <eisinger@google.com> wrote:

> Interesting read, thanks for sharing!
>
> I think one difference here is that we don't need to block the initial
> page load on loading all the other manifests, but it can happen
> concurrently, so there'd hopefully be no slowdown.
>
> On Mon, Apr 24, 2017 at 7:03 PM Oda, Terri <terri.oda@intel.com> wrote:
>
>> Back when I was an academic, we wrote a paper on doing mutual affiliation
>> declrations.  Here's the html tech report version:
>> https://www.ccsl.carleton.ca/software/soma/soma-techreport/ and the
>> final version that appeared in  Computer and Communications Security (CCS
>> '08): http://terri.toybox.ca/doc/academic/oda-ccs-08.pdf
>>
>> I still think it's a useful idea.  Our data at the time (obviously now a
>> little outdated) showed that managing such a list was pretty doable for
>> most sites, since on average they made use of data from 5.45 sites with a
>> standard deviation of 5.3, so most sites would have a list of 11 or less,
>> although we did find one that had around 45 and it's possible that the
>> average numbers have gone up since the research was done. But it's probably
>> still not untenable to create and maintain manifests for this.
>>
>> The downside was the method we used for the implementation required
>> another round trip request to check those manifests, and only loaded
>> content once they were read, so it did cause a noticeable slowdown in
>> practice.  If we tied it in to something we're already checking, though,
>> this might not as big of an issue as it was in 2008.
>>
>>
>>
>>
>>
>>
>> On Fri, Apr 21, 2017 at 10:57 AM, Jochen Eisinger <eisinger@google.com>
>> wrote:
>>
>>> Right, all involved sites would have to agree on the exact set of
>>> involved sites.
>>>
>>> On Fri, Apr 21, 2017 at 7:54 PM Daniel Veditz <dveditz@mozilla.com>
>>> wrote:
>>>
>>>> On Fri, Apr 21, 2017 at 7:44 AM, Jochen Eisinger <eisinger@google.com>
>>>> wrote:
>>>>
>>>>> Android allows for associating an app with one or more sites[1], and
>>>>> so does iOS[2].
>>>>>
>>>>  [...]
>>>>>
>>>>
>>>>> Adding this information to the web manifest, or as part of an origin
>>>>> policy comes to mind.
>>>>>
>>>>
>>>> If it's not a mutual opt-in by all sites involved then we're opening a
>>>> huge hole. Asking the user isn't enough because users are easily fooled.
>>>>
>>>> -
>>>> Dan Veditz
>>>>
>>>>
>>

Received on Wednesday, 26 April 2017 12:59:47 UTC