Fwd: SOFEA & Single Origin Policy?

10 views
Skip to first unread message

Ganesh and Sashi Prasad

unread,
Sep 18, 2008, 10:23:09 AM9/18/08
to so...@googlegroups.com
Gents,

I think we need to propose a security extension to take care of cross-site scripting. I suggest that the Application Download will contain a list of approved service endpoints (URIs), that the application container will respect and allow access to. I don't see any other way around this. It'll be a big deal to get the browser makers to get this into their security model, though.

Any other ideas?

Regards,
Ganesh

---------- Forwarded message ----------
From: Ramkumar KB <ramku...@gmail.com>
Date: 2008/9/18
Subject: SOFEA & Single Origin Policy?
To: g.c.p...@gmail.com


Hello Ganesh,

I have been following your blog and SOFEA white paper.

I would like to know your thoughts on how SOFEA works with the limitation of "Single Origin Policy" that exists with many Javascript front end frameworks? They seem bit contradictory and makes SOFEA dream little more restrictive...

Thank you very much.

best regards,
Ramkumar



Peter Svensson

unread,
Sep 18, 2008, 12:41:11 PM9/18/08
to so...@googlegroups.com
My immediate thoughts on this is that it might not be something that SOFEA should define. It is a model of how to separate concerns between client and server. As you said yourself before, the client need not be a browser. Perhaps there is some kind of generic security boundaries that could be defined, but I'm not certain it's necessary.

On the other hand, it's getting late and I might be barking up the wrong tree. Anyone else? :)

Cheers,
PS

Ganesh and Sashi Prasad

unread,
Sep 18, 2008, 6:04:33 PM9/18/08
to so...@googlegroups.com
For what it's worth, this is what I said to Ramkumar.

Regards,
Ganesh

---------- Forwarded message ----------
From: Ganesh and Sashi Prasad <g.c.p...@gmail.com>
Date: 2008/9/19
Subject: Re: SOFEA & Single Origin Policy?
To: Ramkumar KB <ramku...@gmail.com>


Hi Ramkumar,

Thanks for your mail. You're right, SOP is a pain in that respect. But there are workarounds:

1. Subdomains (The application is downloaded from a download server at http://somecompany.com and makes Data Interchange calls to http://service-module-x.somecompany.com. This restricts services to being within the same organisation but that's a fairly frequent use case.)
2. Proxies (The organisation providing the application also sets up a proxy server like Ninja proxy that provides a same-domain facade to external services. That may open a security hole even if the organisation vets the service providers, because they could be compromised.)
3. Rich clients instead of browsers (Flash, Java WebStart, Silverlight, etc. don't have the SOP restriction.)

There is a lot of discussion happening around the restrictions of SOP, and the browser makers may one day agree on a standard under which the main module will bundle a special file that will securely authorise other URIs that may be allowed to modify its DOM structures.

I'm discussing the SOP issue with a few other people, and we will probably propose something along these lines for implementation by browsers. I hope you will add your voice to push for its adoption.

Regards,
Ganesh

2008/9/18 Ramkumar KB <ramku...@gmail.com>

Kris Zyp

unread,
Sep 18, 2008, 6:12:56 PM9/18/08
to so...@googlegroups.com
Are you guys talking about something different than the effort that browser vendors have been working on (and implementing) for the last few years to create secure cross-site loading mechanism:
http://www.w3.org/TR/access-control/
Kris

Justin Meyer

unread,
Sep 18, 2008, 6:58:23 PM9/18/08
to SOFEA
I agree with Peter. I feel this exists outside the scope of SOFEA.

That doesn't stop me from wanting it.

Kris, I haven't been keeping up with it; has anyone implemented it? I
know opera and IE 8 have cross document messaging.

On Sep 18, 5:12 pm, "Kris Zyp" <kris...@gmail.com> wrote:
> Are you guys talking about something different than the effort that browser vendors have been working on (and implementing) for the last few years to create secure cross-site loading mechanism:http://www.w3.org/TR/access-control/
> Kris
>
> ----- Original Message -----
> From: Ganesh and Sashi Prasad
> To: so...@googlegroups.com
> Sent: Thursday, September 18, 2008 4:04 PM
> Subject: Fwd: SOFEA & Single Origin Policy?
>
> For what it's worth, this is what I said to Ramkumar.
>
> Regards,
> Ganesh
>
> ---------- Forwarded message ----------
> From: Ganesh and Sashi Prasad <g.c.pra...@gmail.com>
> Date: 2008/9/19
> Subject: Re: SOFEA & Single Origin Policy?
> To: Ramkumar KB <ramkuma...@gmail.com>
>
> Hi Ramkumar,
>
> Thanks for your mail. You're right, SOP is a pain in that respect. But there are workarounds:
>
> 1. Subdomains (The application is downloaded from a download server athttp://somecompany.comand makes Data Interchange calls tohttp://service-module-x.somecompany.com. This restricts services to being within the same organisation but that's a fairly frequent use case.)
> 2. Proxies (The organisation providing the application also sets up a proxy server like Ninja proxy that provides a same-domain facade to external services. That may open a security hole even if the organisation vets the service providers, because they could be compromised.)
> 3. Rich clients instead of browsers (Flash, Java WebStart, Silverlight, etc. don't have the SOP restriction.)
>
> There is a lot of discussion happening around the restrictions of SOP, and the browser makers may one day agree on a standard under which the main module will bundle a special file that will securely authorise other URIs that may be allowed to modify its DOM structures.
>
> I'm discussing the SOP issue with a few other people, and we will probably propose something along these lines for implementation by browsers. I hope you will add your voice to push for its adoption.
>
> Regards,
> Ganesh
>
> 2008/9/18 Ramkumar KB <ramkuma...@gmail.com>

Kris Zyp

unread,
Sep 18, 2008, 7:27:33 PM9/18/08
to so...@googlegroups.com

> Kris, I haven't been keeping up with it; has anyone implemented it? I
> know opera and IE 8 have cross document messaging.

IE8 implements part of the spec with their new XDomainRequest API. FF3.1,
Safari 4, Opera.next, IE9 should fully implement it.

Kris

Reply all
Reply to author
Forward
0 new messages