RFC: Site Affiliation

# Jochen Eisinger (a month ago)

Hey all,

as Mike mentioned in the last phonecall, I wonder whether there's some appetite to agree on a standardized way for multiple sites to declare themselves to be affiliated with each other.

Android allows for associating an app with one or more sites[1], and so does iOS[2]. Now it seems pretty straight forward to use this information also for e.g. a password manager, however, I think it's a bit unfortunate to have sites host potentially N different files.

Adding this information to the web manifest, or as part of an origin policy comes to mind.

thoughts?

best -jochen

[1] developers.google.com/identity/smartlock-passwords/android/associate-apps-and-sites#example_associate_apps_with_multiple_websites [2] developer.apple.com/reference/security/shared_web_credentials#1654478

Contact us to advertise here
# Daniel Veditz (a month ago)

On Fri, Apr 21, 2017 at 7:44 AM, Jochen Eisinger eisinger@google.com

wrote:

Android allows for associating an app with one or more sites[1], and so does iOS[2]. ​ [...]

Adding this information to the web manifest, or as part of an origin policy comes to mind.

​If it's not a mutual opt-in by all sites involved then we're opening a huge hole. Asking the user isn't enough because users are easily fooled​.

- ​Dan Veditz​

# Jochen Eisinger (a month ago)

Right, all involved sites would have to agree on the exact set of involved sites.

# Oda, Terri (a month ago)

Back when I was an academic, we wrote a paper on doing mutual affiliation declrations. Here's the html tech report version: www.ccsl.carleton.ca/software/soma/soma-techreport and the final version that appeared in Computer and Communications Security (CCS '08): terri.toybox.ca/doc/academic/oda-ccs-08.pdf

I still think it's a useful idea. Our data at the time (obviously now a little outdated) showed that managing such a list was pretty doable for most sites, since on average they made use of data from 5.45 sites with a standard deviation of 5.3, so most sites would have a list of 11 or less, although we did find one that had around 45 and it's possible that the average numbers have gone up since the research was done. But it's probably still not untenable to create and maintain manifests for this.

The downside was the method we used for the implementation required another round trip request to check those manifests, and only loaded content once they were read, so it did cause a noticeable slowdown in practice. If we tied it in to something we're already checking, though, this might not as big of an issue as it was in 2008.

On Fri, Apr 21, 2017 at 10:57 AM, Jochen Eisinger eisinger@google.com

wrote:

# Jochen Eisinger (a month ago)

Interesting read, thanks for sharing!

I think one difference here is that we don't need to block the initial page load on loading all the other manifests, but it can happen concurrently, so there'd hopefully be no slowdown.

# Václav Brožek (25 days ago)

Adding Vasilii in Cc, because he works on affiliation support for Chrome.

# Vasilii Sukhanov (25 days ago)

Re slowdown: we don't need to fetch the manifest for every page. The password management is a supplementary feature. The affiliation info is only needed when there is a password form or a call to the Credential Management API happens.

On Tue, Apr 25, 2017 at 1:46 PM, Václav Brožek vabr@google.com wrote:

Adding Vasilii in Cc, because he works on affiliation support for Chrome.

Cheers, Vaclav

On Mon, 24 Apr 2017 at 21:46 Jochen Eisinger eisinger@google.com wrote:

Interesting read, thanks for sharing!

I think one difference here is that we don't need to block the initial page load on loading all the other manifests, but it can happen concurrently, so there'd hopefully be no slowdown.

On Mon, Apr 24, 2017 at 7:03 PM Oda, Terri terri.oda@intel.com wrote:

Back when I was an academic, we wrote a paper on doing mutual affiliation declrations. Here's the html tech report version: www.ccsl.carleton.ca/software/soma/soma-techreport and the final version that appeared in Computer and Communications Security (CCS '08): terri.toybox.ca/doc/academic/oda-ccs-08.pdf

I still think it's a useful idea. Our data at the time (obviously now a little outdated) showed that managing such a list was pretty doable for most sites, since on average they made use of data from 5.45 sites with a standard deviation of 5.3, so most sites would have a list of 11 or less, although we did find one that had around 45 and it's possible that the average numbers have gone up since the research was done. But it's probably still not untenable to create and maintain manifests for this.

The downside was the method we used for the implementation required another round trip request to check those manifests, and only loaded content once they were read, so it did cause a noticeable slowdown in practice. If we tied it in to something we're already checking, though, this might not as big of an issue as it was in 2008.

On Fri, Apr 21, 2017 at 10:57 AM, Jochen Eisinger eisinger@google.com wrote:

Right, all involved sites would have to agree on the exact set of involved sites.

On Fri, Apr 21, 2017 at 7:54 PM Daniel Veditz dveditz@mozilla.com wrote:

On Fri, Apr 21, 2017 at 7:44 AM, Jochen Eisinger eisinger@google.com wrote:

Android allows for associating an app with one or more sites[1], and so does iOS[2].

​ [...]

Adding this information to the web manifest, or as part of an origin policy comes to mind.

​If it's not a mutual opt-in by all sites involved then we're opening a huge hole. Asking the user isn't enough because users are easily fooled​.

- ​Dan Veditz​

Vasilii Sukhanov

Software Engineer

vasilii@google.com

Google Germany GmbH

Erika-Mann-Straße 33

80636 München

Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg

Want more features?

Request early access to our private beta of readable email premium.