Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Talk about Site Isolation #1

Open
sleevi opened this issue Sep 5, 2019 · 1 comment
Open

Talk about Site Isolation #1

sleevi opened this issue Sep 5, 2019 · 1 comment

Comments

@sleevi
Copy link
Owner

sleevi commented Sep 5, 2019

@mikewest pointed out that I don't really touch on the topic of site isolation at all, which is one of the few things that provides a real and hard security boundary, and for better or worse, depends on the PSL.

Fix that, by mentioning it!
@mikewest
Copy link

mikewest commented Sep 6, 2019

Site-level process isolation does provide a hard and real boundary, but it pretty clearly falls into the same traps as the rest of the PSL usage, insofar as it defaults to an insecure configuration. Clearly, the team recognizes that, and is aiming for origin-level isolation, but that turns out to be hard. The PSL (and the related "same site" concept is a pretty useful one in the status quo. In the future, something along the conceptual lines of first-party sets seems like a better answer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mikewest @sleevi