W3C home > Mailing lists > Public > public-webpayments@w3.org > December 2014

Re: P2P Payments

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Mon, 08 Dec 2014 23:00:17 -0500
Message-ID: <548673D1.40703@digitalbazaar.com>
To: Kingsley Idehen <kidehen@openlinksw.com>, public-webpayments@w3.org
On 12/08/2014 06:36 PM, Kingsley Idehen wrote:
> On 12/8/14 1:16 PM, Melvin Carvalho wrote:
>> 
>> SOP = Same Origin Policy.
> 
> Who genuinely needs that in a Web of Trust where verifiable identity 
> is intrinsic and policies are driven by logic?

Everyone. You don't want any random bit of Javascript to be able to
change any DOM on any page that is loaded in the browser. SOP is a very
good idea for a first defense against attacks. Deny All, then relax just
the bits you need is a good approach to security.

CORS was specifically designed to relax the SOP protections in browsers
in particular important/common scenarios.

> These flaky and inflexible "big brother" hacks eternally undermine 
> the Web, especially via browsers (which are clearly now living on 
> borrowed time) :)

Why is SOP a flaky and inflexible hack?

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/
Received on Tuesday, 9 December 2014 04:00:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:37 UTC