W3C home > Mailing lists > Public > www-tag@w3.org > March 2015

Re: Sub-domain granularity: the poverty of the domain name as the only hook for security

From: Mike West <mkwst@google.com>
Date: Mon, 16 Mar 2015 14:55:02 +0100
Message-ID: <CAKXHy=fcuA-9ZLNv55mVCaMwrXtwVFAQh=RwEG+rWit69TGT4w@mail.gmail.com>
To: Tim Berners-Lee <timbl@w3.org>
Cc: Public TAG List <www-tag@w3.org>, Mark Nottingham <mnot@mnot.net>, Brad Hill <hillbrad@gmail.com>
Would you mind clarifying the problems you'd like to address by changing
the origin model?

On Mon, Mar 16, 2015 at 2:28 PM, Tim Berners-Lee <timbl@w3.org> wrote:

> The HSTS spec  http://tools.ietf.org/html/rfc6797 is a good start but it
> is not useful for serious websites which have many separate parts which
> have to have different policies, management, etc.
>

HSTS is, indeed, a sledgehammer. It's really quite good at driving
fence-posts, but less useful for hanging pictures. The per-page suborigins
proposal that WebAppSec has taken up (and that Anne already pointed to)
seems like it might be a reasonable way of adding some granularity. Does it
go in the direction you're interested in?

Similarly the Same Origin Policy in general is very hampering and in that
> it only works at the domain level not at any path level.   It would have
> been not very much harder to set both of them up to work on subtrees within
> the domain, and both would have been much more powerful and useful.  I
> propose they both be fixed in future.
>

Hrm. Cookies take paths into account, and I think they're generally agreed
to be a mess. :)

What properties would you like to be able to share between paths? What
properties do you think should be distinct (and inaccessible)?


> The result of these two has been a pain and many perverse incentives and
> side-effects, for just one example github.com/linkdata having to
> half-move to linkeddata.github.com (which is now a mess and loses
> locality of linking between the two) and
>

How would you propose distinguishing between `github.com/linkeddata` and `
github.com/w3c` (two distinct organiziations, which, I suppose, aren't
same-origin with `github.com/`) on the one hand, and `github.com/blog` on
the other (GitHub's blog, which is theoreticatically same-origin with `
github.com/`)?

Since we're looking at GitHub, note that they migrated to `*.github.io`
(and registered `github.io` as a public suffix) in order to ensure
separation between user pages. In an ideal world, how would they have been
able to handle that use-case?

w3.org not being able to move to HTTPS at all because of being unable to
> apply HTTS path by path.
>

I could understand HSTS being difficult to deploy for the reasons you
outline here. I don't understand how that would prevent path-by-path
migration from HTTP to HTTPS, however. I'd love to see redirects from HTTP
to HTTPS for `www.w3.org/TR/*`, for instance. I'm hopeful that
https://w3c.github.io/webappsec/specs/upgrade/ will help there.

-mike
Received on Monday, 16 March 2015 13:55:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:10 UTC