W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2017

Re: Breaking the `opener` relationship.

From: Mike West <mkwst@google.com>
Date: Fri, 28 Apr 2017 11:33:46 +0200
Message-ID: <CAKXHy=cCn8ouMCiHbktHPmyEmVDGhX=+fzQF8QK2Cjaopa3ywg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Artur Janc <aaj@google.com>, Alex Russell <slightlyoff@google.com>, Emily Stark <estark@google.com>, Jonathan Watt <jwatt@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Apr 28, 2017 at 10:55 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Fri, Apr 28, 2017 at 10:39 AM, Mike West <mkwst@google.com> wrote:
> > Filed https://github.com/WICG/isolation/issues/12 to discuss, as I'd
> prefer
> > that approach to increasing the complexity of the `WindowProxy` checks
> > themselves.
>
> Sounds reasonable.
>
> Now, what happens when an isolated document messages with a
> same-origin document that is not isolated? Is that a risk we care
> about? If you have a capability-based security model you might hand
> around ports and assign authority to those ports. However, if these
> ports are introduced in your system through non-trustworthy pages (per
> the "people make mistakes" bit of the threat model), is that something
> we want to protect against? (Could also be a BroadcastChannel that
> starts emitting propaganda or some such.)
>

This is starting to verge back into the territory of the other thread. In
the hopes of keeping separate things separate: for the mechanism we're
discussing here, I think it's reasonable to say "Do whatever the existing
`WindowProxy` checks do." If they say do an same origin-domain check, then
do a same origin-domain check.

For the broader context, I generally agree with Charlie in
https://lists.w3.org/Archives/Public/public-webappsec/2017Apr/0074.html: I
would prefer for it not to be possible for a given origin to be loaded both
in an isolated and non-isolated way, both because it's hard to implement
and because it's hard to reason about.

If we do end up wanting to load both variants of a page, I think we'd need
to hook into the origin model in some way to make them sufficiently
dissimilar to fail a same origin-domain check. The `isolated` flag sketched
out in  https://wicg.github.io/isolation/#html-origin might be a reasonable
approach.

-mike
Received on Friday, 28 April 2017 09:34:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC