- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sun, 19 Oct 2014 11:44:52 -0700
- To: Mike West <mkwst@google.com>
- Cc: WHAT Working Group Mailing List <whatwg@whatwg.org>, Jonas Sicking <jonas@sicking.cc>
> Like most other things in security, this proposal would make an attacker's > job harder, but certainly not impossible. It is not revolutionary in any > sense, but throws up some new roadblocks, and is _trivial_ for a website > author to implement. That last bit is important. Well, it's always easier to criticize designs than to come up with them, and I am acutely aware that my critique essentially amounts to a gut feeling that with every design tweak I can think of, we're headed for one of two options: 1) Something that will give people a completely false sense of security (if we don't do taint-tracking *or* don't force very strict CSP policing + sweeping changes to several other browser mechanisms), 2) Something that will be extremely difficult to implement correctly and will keep constantly falling apart (if the aforementioned solutions are in). But it's a very existential discussion, and if you think the API is worth the pain (i.e., we expect that sites will adopt the mechanism and that users won't be inclined to manually enter passwords / sensitive details into forms, which is something outside the threat model here) - I think it's fine to give it a go. When solutions seem easy at first, but get incredibly complicated and brittle as you start digging in, I'm always reminded of what we almost have gotten instead of SOP: http://lcamtuf.blogspot.com/2012/11/lessons-in-history.html Cheers :-) /mz
Received on Sunday, 19 October 2014 22:47:29 UTC