Re: [whatwg] Proposal: Write-only submittable form-associated controls.

> Like most other things in security, this proposal would make an attacker's
> job harder, but certainly not impossible. It is not revolutionary in any
> sense, but throws up some new roadblocks, and is _trivial_ for a website
> author to implement. That last bit is important.

Well, it's always easier to criticize designs than to come up with
them, and I am acutely aware that my critique essentially amounts to a
gut feeling that with every design tweak I can think of, we're headed
for one of two options:

1) Something that will give people a completely false sense of
security (if we don't do taint-tracking *or* don't force very strict
CSP policing + sweeping changes to several other browser mechanisms),

2) Something that will be extremely difficult to implement correctly
and will keep constantly falling apart (if the aforementioned
solutions are in).

But it's a very existential discussion, and if you think the API is
worth the pain (i.e., we expect that sites will adopt the mechanism
and that users won't be inclined to manually enter passwords /
sensitive details into forms, which is something outside the threat
model here) - I think it's fine to give it a go.

When solutions seem easy at first, but get incredibly complicated and
brittle as you start digging in, I'm always reminded of what we almost
have gotten instead of SOP:

http://lcamtuf.blogspot.com/2012/11/lessons-in-history.html

Cheers :-)

/mz

Received on Sunday, 19 October 2014 22:47:29 UTC