W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2017

Re: Single Trust and Same-Origin Policy v2

From: Ángel <angel@16bits.net>
Date: Wed, 29 Mar 2017 01:23:27 +0200
Message-ID: <1490743407.925.18.camel@16bits.net>
To: public-webappsec@w3.org
On 2017-03-27 at 11:51 -0700, John Wilander wrote:

> > What does this encompass?
> Today youtube.com is considered a third-party on a google.com site.
> That’s simply not true. We’re inflating the third-party numbers and
> users have no way of learning how many real third-parties are involved
> in a page load.

Is single trust scope "technical" or "legal" ?

If legal, the goal is simply to have a browser panel stating:
The data you enter into this page might be accessed by:
 The Very Great Healthcare Provider Ltd. (doctor.com)
 jQuery foundation (cdn.jquery.com)
 Google Inc (recaptcha.google.com)

which can probably be extracted from the TLS certificates.

However, melding origins into one doesn't seem that a great idea but for
the simplest pages. There's the already mentioned need of the
relationship being asynchronous. randomjoe.blogspot.com CAN ultimately
trust accounts.google.com, but accounts.google.com MUST NOT trust
Plus, given that you are adding a new interface, it makes more sense
that the specific APIs have to be opt-in specifically. Thus, you could
allow access to a IndexedDB but not to cookies, for instance.
Received on Tuesday, 28 March 2017 23:23:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:00 UTC