Security discussion for Scope-Extensions #116
Description
This issue refers to the security review requested in this issue w3c/security-request#71
Dear Group,
Thank you for asking for the review and in advance for your willingness to discuss it, as you have already interacted with TAG.
We have analyzed the information available.
In general, I agree with the TAG's concerns regarding the use of different origins.
There are two issues to consider in general:
- The user should be notified (or it should be visible at all times) when they are on a different origin from the one they installed, even if this is permitted.
- If evil.com allows access to example.com, this should be explicitly allowed by example.com and not just by the manifest on evil.com. Furthermore, it should be considered that while some websites, such as a.example.com, are controlled by the same entity as b.example.com, there are cases where subdomains cannot be trusted.
To facilitate analysis, possibly in a SING breakout session, I would ask you to add a small Threat Model (even in a separate document linked to the Security Considerations in the Explainer), structured as follows:
-
A Data Flow Diagram representing the various scenarios (including example.com, evil.com, evil.example.com, etc.) in the elements, first representing the legitimate use cases to understand if and how they can be abused Template
-
A list of security assumptions, threats, potential mitigations/countermeasures, and residual risks. explanation here
Thank you,
Simone