W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2017

Re: RFC: Site Affiliation

From: Vasilii Sukhanov <vasilii@google.com>
Date: Tue, 25 Apr 2017 15:52:09 +0200
Message-ID: <CAAHb+oRS5+6N35nun+mY21qxNLQCm-Lj5a4CAD+LTeWxFQjK8Q@mail.gmail.com>
To: Václav Brožek <vabr@google.com>
Cc: Jochen Eisinger <eisinger@google.com>, "Oda, Terri" <terri.oda@intel.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, John Wilander <wilander@apple.com>
Re slowdown: we don't need to fetch the manifest for every page. The
password management is a supplementary feature. The affiliation info is
only needed when there is a password form or a call to the Credential
Management API happens.

On Tue, Apr 25, 2017 at 1:46 PM, Václav Brožek <vabr@google.com> wrote:

> Adding Vasilii in Cc, because he works on affiliation support for Chrome.
>
> Cheers,
> Vaclav
>
> On Mon, 24 Apr 2017 at 21:46 Jochen Eisinger <eisinger@google.com> wrote:
>
>> Interesting read, thanks for sharing!
>>
>> I think one difference here is that we don't need to block the initial
>> page load on loading all the other manifests, but it can happen
>> concurrently, so there'd hopefully be no slowdown.
>>
>> On Mon, Apr 24, 2017 at 7:03 PM Oda, Terri <terri.oda@intel.com> wrote:
>>
>>> Back when I was an academic, we wrote a paper on doing mutual
>>> affiliation declrations.  Here's the html tech report version:
>>> https://www.ccsl.carleton.ca/software/soma/soma-techreport/ and the
>>> final version that appeared in  Computer and Communications Security (CCS
>>> '08): http://terri.toybox.ca/doc/academic/oda-ccs-08.pdf
>>>
>>> I still think it's a useful idea.  Our data at the time (obviously now a
>>> little outdated) showed that managing such a list was pretty doable for
>>> most sites, since on average they made use of data from 5.45 sites with a
>>> standard deviation of 5.3, so most sites would have a list of 11 or less,
>>> although we did find one that had around 45 and it's possible that the
>>> average numbers have gone up since the research was done. But it's probably
>>> still not untenable to create and maintain manifests for this.
>>>
>>> The downside was the method we used for the implementation required
>>> another round trip request to check those manifests, and only loaded
>>> content once they were read, so it did cause a noticeable slowdown in
>>> practice.  If we tied it in to something we're already checking, though,
>>> this might not as big of an issue as it was in 2008.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Apr 21, 2017 at 10:57 AM, Jochen Eisinger <eisinger@google.com>
>>> wrote:
>>>
>>>> Right, all involved sites would have to agree on the exact set of
>>>> involved sites.
>>>>
>>>> On Fri, Apr 21, 2017 at 7:54 PM Daniel Veditz <dveditz@mozilla.com>
>>>> wrote:
>>>>
>>>>> On Fri, Apr 21, 2017 at 7:44 AM, Jochen Eisinger <eisinger@google.com>
>>>>> wrote:
>>>>>
>>>>>> Android allows for associating an app with one or more sites[1], and
>>>>>> so does iOS[2].
>>>>>>
>>>>> ​ [...]
>>>>>>
>>>>>
>>>>>> Adding this information to the web manifest, or as part of an origin
>>>>>> policy comes to mind.
>>>>>>
>>>>>
>>>>> ​If it's not a mutual opt-in by all sites involved then we're opening
>>>>> a huge hole. Asking the user isn't enough because users are easily fooled​.
>>>>>
>>>>> -
>>>>> ​Dan Veditz​
>>>>>
>>>>>
>>>
Vasilii Sukhanov

Software Engineer

vasilii@google.com


Google Germany GmbH

Erika-Mann-Straße 33

80636 München

Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg
Received on Wednesday, 26 April 2017 12:59:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC