On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote: > Yes. This is the foundation and limit of Web Security. > > https://en.wikipedia.org/wiki/Same-origin_policy > > This is what is programatically enforced. Anything else either requires new > technology to technically enforce it (such as a new scheme), or is > offloading the liability to the user. >
The notion that a sub-resource load of a non-EV sort should downgrade the EV display status of the page is very questionable. I'm not sure we need namespace separation for EV versus non-EV subresouces. The cause for this is simple: It is the main page resource at the root of the document which causes each sub-resource to be loaded. There is a "curatorship", if you will, engaged by the site author. If there are sub-resources loaded in, whether they are EV or not, it is the root page author's place to "take responsibility" for the contents of the DV or EV validated sub-resources that they cause to be loaded. Frankly, I reduce third party origin resources to zero on web applications on systems I design where those systems have strong security implications. Of course, that strategy is probably not likely to be popular at Google, which is, in a quite high percentage of instances, the target origin of all kinds of sub-resources loaded in pages across the web. If anyone takes the following comment seriously, this probably spawns an entirely separate conversation: I regard an EV certificate as more of a code-signing of a given webpage / website and of the sub-resources whether or not same origin, as they descend from the root page load. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
