Re: [rtcweb] Single-origin and consent

Bernard Aboba <bernard_aboba@hotmail.com> Thu, 20 October 2011 18:33 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F98121F8BBA for <rtcweb@ietfa.amsl.com>; Thu, 20 Oct 2011 11:33:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.488
X-Spam-Level:
X-Spam-Status: No, score=-102.488 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qK-dq1Ss7-+F for <rtcweb@ietfa.amsl.com>; Thu, 20 Oct 2011 11:33:20 -0700 (PDT)
Received: from blu0-omc3-s14.blu0.hotmail.com (blu0-omc3-s14.blu0.hotmail.com [65.55.116.89]) by ietfa.amsl.com (Postfix) with ESMTP id E633721F8B75 for <rtcweb@ietf.org>; Thu, 20 Oct 2011 11:33:15 -0700 (PDT)
Received: from BLU152-W16 ([65.55.116.73]) by blu0-omc3-s14.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 20 Oct 2011 11:33:15 -0700
Message-ID: <BLU152-W165BDE80EF3B72DABAA55793EB0@phx.gbl>
Content-Type: multipart/alternative; boundary="_59a92071-1488-4d6a-bdd5-4d4909bca6a3_"
X-Originating-IP: [24.17.217.162]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: <rtcweb@ietf.org>
Date: Thu, 20 Oct 2011 11:33:14 -0700
Importance: Normal
In-Reply-To: <4EA064FA.1090006@alvestrand.no>
References: <9C8CA816-65FB-41A0-999C-4C43128CAAB4@danyork.org>, <BLU152-W43CB8DACCEA54AA5558B2493EA0@phx.gbl>, <E857C96A-0E73-486F-BF23-36BA897B449C@cisco.com>, <BLU152-W19B31DA6C6DB2FE60FC51C93EB0@phx.gbl>, <CABcZeBNbSk-4kfzNtXUSnFMhkcockTXudAYzEET30a0v+-kxBA@mail.gmail.com>, <4EA05CF0.6010904@jesup.org>, <4EA064FA.1090006@alvestrand.no>
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Oct 2011 18:33:15.0521 (UTC) FILETIME=[BB0F6710:01CC8F56]
Subject: Re: [rtcweb] Single-origin and consent
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2011 18:33:21 -0000

> I think we can (if the app tells us to, since it's "same-origin" and 
> the app should know), but I'm a little less certain of the "should".  
> Is there an attack wherein someone could 'host' some JS content (app) 
> on a site and use it to attack/DoS that site from multiple places?  It 
> seems at least plausible.

[BA] Taken to its conclusion, this is an argument for imposing ICE as a requirement for *all* web-based applications. 

There is no evidence that such a requirement is necessary -- and even if it were to be done, it would be almost certainly be ignored (and rightly so) by the developer community. 

There is a line between safely attempting to add new functionality, and attempting to disable existing functionality.  

The former is in scope, the latter is not.