- From: Vasilii Sukhanov <vasilii@google.com>
- Date: Tue, 25 Apr 2017 15:52:09 +0200
- To: Václav Brožek <vabr@google.com>
- Cc: Jochen Eisinger <eisinger@google.com>, "Oda, Terri" <terri.oda@intel.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, John Wilander <wilander@apple.com>
- Message-ID: <CAAHb+oRS5+6N35nun+mY21qxNLQCm-Lj5a4CAD+LTeWxFQjK8Q@mail.gmail.com>
Re slowdown: we don't need to fetch the manifest for every page. The password management is a supplementary feature. The affiliation info is only needed when there is a password form or a call to the Credential Management API happens. On Tue, Apr 25, 2017 at 1:46 PM, Václav Brožek <vabr@google.com> wrote: > Adding Vasilii in Cc, because he works on affiliation support for Chrome. > > Cheers, > Vaclav > > On Mon, 24 Apr 2017 at 21:46 Jochen Eisinger <eisinger@google.com> wrote: > >> Interesting read, thanks for sharing! >> >> I think one difference here is that we don't need to block the initial >> page load on loading all the other manifests, but it can happen >> concurrently, so there'd hopefully be no slowdown. >> >> On Mon, Apr 24, 2017 at 7:03 PM Oda, Terri <terri.oda@intel.com> wrote: >> >>> Back when I was an academic, we wrote a paper on doing mutual >>> affiliation declrations. Here's the html tech report version: >>> https://www.ccsl.carleton.ca/software/soma/soma-techreport/ and the >>> final version that appeared in Computer and Communications Security (CCS >>> '08): http://terri.toybox.ca/doc/academic/oda-ccs-08.pdf >>> >>> I still think it's a useful idea. Our data at the time (obviously now a >>> little outdated) showed that managing such a list was pretty doable for >>> most sites, since on average they made use of data from 5.45 sites with a >>> standard deviation of 5.3, so most sites would have a list of 11 or less, >>> although we did find one that had around 45 and it's possible that the >>> average numbers have gone up since the research was done. But it's probably >>> still not untenable to create and maintain manifests for this. >>> >>> The downside was the method we used for the implementation required >>> another round trip request to check those manifests, and only loaded >>> content once they were read, so it did cause a noticeable slowdown in >>> practice. If we tied it in to something we're already checking, though, >>> this might not as big of an issue as it was in 2008. >>> >>> >>> >>> >>> >>> >>> On Fri, Apr 21, 2017 at 10:57 AM, Jochen Eisinger <eisinger@google.com> >>> wrote: >>> >>>> Right, all involved sites would have to agree on the exact set of >>>> involved sites. >>>> >>>> On Fri, Apr 21, 2017 at 7:54 PM Daniel Veditz <dveditz@mozilla.com> >>>> wrote: >>>> >>>>> On Fri, Apr 21, 2017 at 7:44 AM, Jochen Eisinger <eisinger@google.com> >>>>> wrote: >>>>> >>>>>> Android allows for associating an app with one or more sites[1], and >>>>>> so does iOS[2]. >>>>>> >>>>> [...] >>>>>> >>>>> >>>>>> Adding this information to the web manifest, or as part of an origin >>>>>> policy comes to mind. >>>>>> >>>>> >>>>> If it's not a mutual opt-in by all sites involved then we're opening >>>>> a huge hole. Asking the user isn't enough because users are easily fooled. >>>>> >>>>> - >>>>> Dan Veditz >>>>> >>>>> >>> Vasilii Sukhanov Software Engineer vasilii@google.com Google Germany GmbH Erika-Mann-Straße 33 80636 München Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
Received on Wednesday, 26 April 2017 12:59:47 UTC