Hi Brian, Thanks for forwarding, I didn't understand your point originally. I (or hopefully someone who's already involved in webappsec) will follow up.
Thanks, Monica ----- Original Message ----- > On Mon, Nov 10, 2014 at 7:15 PM, Monica Chew <[email protected]> wrote: > > Yep, it's definitely not a perfect solution. A site operator who's willing > > to concede subdomain control through DNS to a third party provider will > > definitely be able to work around origin checks. We could try to combat > > this by, say, resolving domain names to IPs and then blocking those -- but > > that has its own issues. > > > > Many security and privacy problems exhibit arms race qualities. For > > instance, email spam is at something like 80-90% of all mail. I doubt > > anyone would make the argument that we should therefore give up on spam > > fighting because the problem will never be completely solved. > > Hi, > > I agree with you Monica. I forwarded this email to dev.privacy so that > people here can be aware of this work in webappsec. In particular, it > might be worth trying to find ways to improve the planned suborigin > mechanism so that there is more information in the embedding page that > helps tracking protection and similar mechanisms--i.e. that allows the > mechanism to have the positive security benefits that are intended > without it contributing negatively and unintentionally to that arms > race. I don't have time to deal with that issue, but I do hope that > somebody takes it on. > > Cheers, > Brian > _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
