Re: A Somewhat Critical View of SOP (Same Origin Policy) from Alex Russell on 2015-09-28 (public-web-security@w3.org from September 2015)

From: Alex Russell <slightlyoff@google.com>
Date: Mon, 28 Sep 2015 14:29:02 -0700
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Tony Arcieri <bascule@gmail.com>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, "henry.story@bblfish.net" <henry.story@bblfish.net>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <CANr5HFWparGg3Uav1htn3ncWsS75Fhd28ALhCBF8yjBJeAP2qQ@mail.gmail.com>

On Mon, Sep 28, 2015 at 12:48 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2015-09-28 21:27, Tony Arcieri wrote:
>
>> On Monday, September 28, 2015, Alex Russell <slightlyoff@google.com
>> <mailto:slightlyoff@google.com>> wrote:
>>
>>     Extension APIs are, by definition, outside SOP; not only do they
>> break SOP they exist primarily to subvert it (e.g., content scripts).
>>
>>     This is basic stuff. It's hard to have a conversation about such a
>> complicated area without shared understanding of the basics.
>>
>>
>> I really have to agree. This whole wiki page has so many problems it's
>> effectively a gish gallop*, preventing meaningful conversation because no
>> one could possibly respond to all of the problems.
>>
>
> Thanx :-(
> I don't see why a proper implementation of Native Messaging couldn't
> together with an equally properly written native extension indeed support
> SOP.


If by "proper implementation" you mean bi-directional attestation that the
native service trusts the origin and that the origin expects a conversation
with said service (cryptographically), plus mediation by the browser, plus
exposure to sites directly, then yes that could work -- but not if hosted
inside the Extensions platforms as currently understood.

Which is the long way of saying that citing Native Messaging in this page
is either misdirection regarding the current feature or re-definition of
terms to mean a hoped-for (but not proposed or implemented) separate
feature.

Neither are useful in the context of this discussion.


> I never said this is what the world wants, I only pointed out this as a
> possibility.  U2F could for example have been supported this way.
>
> https://github.com/cyberphone/web2native-bridge#api
>
>
>
>> In an area where there is not only rough consensus and running code, but
>> precise definitions, specifications, and a common nomenclature, this
>> document does a lot of redefining of terms (most notably SOP itself), that
>> is when it's not making slippery slope arguments around the security
>> guarantees SOP can provide and suggesting we give up because SOP is not the
>> universal panacea for all problems.
>>
>> I can cite some specific examples for the curious, but I'm not going to
>> run the gish gallop.
>>
>> My only real request for this Wiki page is it be given a more appropriate
>> name, like "Criticisms of the Same-Origin Policy" (which this document
>> confusingly and repeatedly calls "Single-Origin Policy", itself a testiment
>> to the overall degree of misunderstanding happening here)
>>
>> [1]: http://rationalwiki.org/wiki/Gish_Gallop
>>
>>
>> --
>> Tony Arcieri
>>
>>
>

Received on Monday, 28 September 2015 21:29:59 UTC