psl-problems icon indicating copy to clipboard operation
psl-problems copied to clipboard

Published 20 hours ago verified publisher icon sleevi

Talk about Site Isolation

Open sleevi opened this issue 6 years ago • 1 comments

@mikewest pointed out that I don't really touch on the topic of site isolation at all, which is one of the few things that provides a real and hard security boundary, and for better or worse, depends on the PSL.

Fix that, by mentioning it!

sleevi avatar Sep 05 '19 18:09 sleevi

Site-level process isolation does provide a hard and real boundary, but it pretty clearly falls into the same traps as the rest of the PSL usage, insofar as it defaults to an insecure configuration. Clearly, the team recognizes that, and is aiming for origin-level isolation, but that turns out to be hard. The PSL (and the related "same site" concept is a pretty useful one in the status quo. In the future, something along the conceptual lines of first-party sets seems like a better answer.

mikewest avatar Sep 06 '19 08:09 mikewest