On Mon, Nov 23, 2015 at 8:01 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:
> Like shown in the upper part of this one-page document
> http://webpki.org/papers/permissions.pdf
> which I published after the workshop which I also attended.
>
Yes, this is a very good depiction of the sorts of user interfaces that
people have tried to add in order to expose these tokens to browsers.
These sorts of interfaces are extremely confusing and do not provide enough
context or make things clear enough for users to make meaningful security
decisions.
Without solving the same-origin problem they immediately opt users into
many decisions they are not prepared to make, and also expose users to a
whole class of cross-origin attacks which are not possible with systems
based on origin-bound certificates/credentials.
The modern solutions to this sort of problem are built on the same-origin
policy as a first principle, and thereby mitigate the majority of
cross-origin attacks by design.
See:
http://www.browserauth.net/
http://www.browserauth.net/origin-bound-certificates
http://www.browserauth.net/channel-bound-cookies
U2F was designed this way and would work very well with the system
described above.
--
Tony Arcieri