On Mon, Nov 10, 2014 at 7:15 PM, Monica Chew <[email protected]> wrote: > Yep, it's definitely not a perfect solution. A site operator who's willing to > concede subdomain control through DNS to a third party provider will > definitely be able to work around origin checks. We could try to combat this > by, say, resolving domain names to IPs and then blocking those -- but that > has its own issues. > > Many security and privacy problems exhibit arms race qualities. For instance, > email spam is at something like 80-90% of all mail. I doubt anyone would make > the argument that we should therefore give up on spam fighting because the > problem will never be completely solved.
Hi, I agree with you Monica. I forwarded this email to dev.privacy so that people here can be aware of this work in webappsec. In particular, it might be worth trying to find ways to improve the planned suborigin mechanism so that there is more information in the embedding page that helps tracking protection and similar mechanisms--i.e. that allows the mechanism to have the positive security benefits that are intended without it contributing negatively and unintentionally to that arms race. I don't have time to deal with that issue, but I do hope that somebody takes it on. Cheers, Brian _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
