I don't want to spend too much time digressing into a discussion of the same origin policy as a basis for a reasonable security model for the web, but I hope we could all agree on one thing that was abundantly obvious twenty years ago, and has only become more obvious:
Anything originally introduced by Netscape is horribly broken and needs to be replaced. -Tim > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+tim.hollebeek=digicert....@lists.mozilla.org] On Behalf Of > Matthew Hardeman via dev-security-policy > Sent: Wednesday, December 13, 2017 2:41 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: On the value of EV > > On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote: > > > Yes. This is the foundation and limit of Web Security. > > > > > https://clicktime.symantec.com/a/1/GrbZLkNqUS91rgzMay4M15oOr3bYABO > Whq1 > > K3U87RIo=?d=pHiUFZpus7xBKMLSCUAfZRndcniHFdqZrXgc- > _r0FxYSwiMHScu8QgSvJy > > E8LSHlko0v84eVoyDMoTZTqKVUvrQ_LxFgoZAq1f- > Iw1ESfQHF0h4v_K1IjkBwaIhjNiNX > > coOSGp7NnMokKR3ug1bd6esHHwnMamBgCwow-ecE3suQ9uS4- > zfp_NLR0LWp-kXGqFhQqR > > AfcAImdNz09yApHBItSOYOep3BWfyNMoDnHxlSQJaFx3zhDxV3a- > AkndjySZN86maZVN5c > > DBfq3b_73V2qS22vAabmGLFF5uZN8g8Lxstv8tiVTx9_BPzKFZVzWHsrnnheL- > W3D22riT > > AFkvNYWYFwJ1fHe0NpVNxMU3y4vi7I9_zIoxa24Fox- > VmvQlMPLAbZZwHNAumWKMqIhjrt > > > k76Lk7EkqLehoiC9__j0qne7lDkDd47_&u=https%3A%2F%2Fen.wikipedia.org% > 2Fwi > > ki%2FSame-origin_policy > > > > This is what is programatically enforced. Anything else either > > requires new technology to technically enforce it (such as a new > > scheme), or is offloading the liability to the user. > > > > The notion that a sub-resource load of a non-EV sort should downgrade the EV > display status of the page is very questionable. > > I'm not sure we need namespace separation for EV versus non-EV > subresouces. > > The cause for this is simple: > > It is the main page resource at the root of the document which causes each > sub-resource to be loaded. > > There is a "curatorship", if you will, engaged by the site author. If there are > sub-resources loaded in, whether they are EV or not, it is the root page > author's place to "take responsibility" for the contents of the DV or EV > validated sub-resources that they cause to be loaded. > > Frankly, I reduce third party origin resources to zero on web applications on > systems I design where those systems have strong security implications. > > Of course, that strategy is probably not likely to be popular at Google, which > is, in a quite high percentage of instances, the target origin of all kinds of sub- > resources loaded in pages across the web. > > If anyone takes the following comment seriously, this probably spawns an > entirely separate conversation: I regard an EV certificate as more of a code- > signing of a given webpage / website and of the sub-resources whether or not > same origin, as they descend from the root page load. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://clicktime.symantec.com/a/1/oq_SYtg88dEoDRxJA115VhfXkFgyjy6paw > HDkVPMqrM=?d=pHiUFZpus7xBKMLSCUAfZRndcniHFdqZrXgc- > _r0FxYSwiMHScu8QgSvJyE8LSHlko0v84eVoyDMoTZTqKVUvrQ_LxFgoZAq1f- > Iw1ESfQHF0h4v_K1IjkBwaIhjNiNXcoOSGp7NnMokKR3ug1bd6esHHwnMamBg > Cwow-ecE3suQ9uS4-zfp_NLR0LWp- > kXGqFhQqRAfcAImdNz09yApHBItSOYOep3BWfyNMoDnHxlSQJaFx3zhDxV3a- > AkndjySZN86maZVN5cDBfq3b_73V2qS22vAabmGLFF5uZN8g8Lxstv8tiVTx9_B > PzKFZVzWHsrnnheL- > W3D22riTAFkvNYWYFwJ1fHe0NpVNxMU3y4vi7I9_zIoxa24Fox- > VmvQlMPLAbZZwHNAumWKMqIhjrtk76Lk7EkqLehoiC9__j0qne7lDkDd47_&u > =https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy