Of course not - facetious or not, it’s similarly logically and empirically flawed.
On Wed, Dec 13, 2017 at 7:29 PM Tim Hollebeek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I don't want to spend too much time digressing into a discussion of the > same > origin policy as a basis for a reasonable security model for the web, but I > hope we could all agree on one thing that was abundantly obvious twenty > years ago, and has only become more obvious: > > Anything originally introduced by Netscape is horribly broken and needs to > be replaced. > > -Tim > > > -----Original Message----- > > From: dev-security-policy [mailto:dev-security-policy- > > bounces+tim.hollebeek=digicert....@lists.mozilla.org] On Behalf Of > > Matthew Hardeman via dev-security-policy > > Sent: Wednesday, December 13, 2017 2:41 PM > > To: mozilla-dev-security-pol...@lists.mozilla.org > > Subject: Re: On the value of EV > > > > On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote: > > > > > Yes. This is the foundation and limit of Web Security. > > > > > > > > https://clicktime.symantec.com/a/1/GrbZLkNqUS91rgzMay4M15oOr3bYABO > > Whq1 > > > K3U87RIo=?d=pHiUFZpus7xBKMLSCUAfZRndcniHFdqZrXgc- > > _r0FxYSwiMHScu8QgSvJy > > > E8LSHlko0v84eVoyDMoTZTqKVUvrQ_LxFgoZAq1f- > > Iw1ESfQHF0h4v_K1IjkBwaIhjNiNX > > > coOSGp7NnMokKR3ug1bd6esHHwnMamBgCwow-ecE3suQ9uS4- > > zfp_NLR0LWp-kXGqFhQqR > > > AfcAImdNz09yApHBItSOYOep3BWfyNMoDnHxlSQJaFx3zhDxV3a- > > AkndjySZN86maZVN5c > > > DBfq3b_73V2qS22vAabmGLFF5uZN8g8Lxstv8tiVTx9_BPzKFZVzWHsrnnheL- > > W3D22riT > > > AFkvNYWYFwJ1fHe0NpVNxMU3y4vi7I9_zIoxa24Fox- > > VmvQlMPLAbZZwHNAumWKMqIhjrt > > > > > k76Lk7EkqLehoiC9__j0qne7lDkDd47_&u=https%3A%2F%2Fen.wikipedia.org% > > 2Fwi > > > ki%2FSame-origin_policy > > > > > > This is what is programatically enforced. Anything else either > > > requires new technology to technically enforce it (such as a new > > > scheme), or is offloading the liability to the user. > > > > > > > The notion that a sub-resource load of a non-EV sort should downgrade the > EV > > display status of the page is very questionable. > > > > I'm not sure we need namespace separation for EV versus non-EV > > subresouces. > > > > The cause for this is simple: > > > > It is the main page resource at the root of the document which causes > each > > sub-resource to be loaded. > > > > There is a "curatorship", if you will, engaged by the site author. If > there are > > sub-resources loaded in, whether they are EV or not, it is the root page > > author's place to "take responsibility" for the contents of the DV or EV > > validated sub-resources that they cause to be loaded. > > > > Frankly, I reduce third party origin resources to zero on web > applications > on > > systems I design where those systems have strong security implications. > > > > Of course, that strategy is probably not likely to be popular at Google, > which > > is, in a quite high percentage of instances, the target origin of all > kinds of sub- > > resources loaded in pages across the web. > > > > If anyone takes the following comment seriously, this probably spawns an > > entirely separate conversation: I regard an EV certificate as more of a > code- > > signing of a given webpage / website and of the sub-resources whether or > not > > same origin, as they descend from the root page load. > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://clicktime.symantec.com/a/1/oq_SYtg88dEoDRxJA115VhfXkFgyjy6paw > > HDkVPMqrM=?d=pHiUFZpus7xBKMLSCUAfZRndcniHFdqZrXgc- > > _r0FxYSwiMHScu8QgSvJyE8LSHlko0v84eVoyDMoTZTqKVUvrQ_LxFgoZAq1f- > > Iw1ESfQHF0h4v_K1IjkBwaIhjNiNXcoOSGp7NnMokKR3ug1bd6esHHwnMamBg > > Cwow-ecE3suQ9uS4-zfp_NLR0LWp- > > kXGqFhQqRAfcAImdNz09yApHBItSOYOep3BWfyNMoDnHxlSQJaFx3zhDxV3a- > > AkndjySZN86maZVN5cDBfq3b_73V2qS22vAabmGLFF5uZN8g8Lxstv8tiVTx9_B > > PzKFZVzWHsrnnheL- > > W3D22riTAFkvNYWYFwJ1fHe0NpVNxMU3y4vi7I9_zIoxa24Fox- > > VmvQlMPLAbZZwHNAumWKMqIhjrtk76Lk7EkqLehoiC9__j0qne7lDkDd47_&u > > =https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
