Isolation opt-out

[randomdross]

I'm thinking of isolated origins as something that web developers would enable for their origins, and then the setting would be essentially "locked in." If that's the intended design, there are probably a few things to work out...

1) What if the user clears their cache? It seems that isolation should still stick. 2) Still, there needs to be a way to "undo" isolation. Otherwise, if foo.com is isolated, then ownership of the domain changes (legitimately), how can the new owner "fix" the site for any users who visited the old site. Or maybe the web developer just doesn't want the origin to be isolated, for whatever reason. So it should be possible (but difficult) to opt-out of isolation, I think. Maybe a javascript API to reset the origin, which would clear cookies, reset isolation, etc. (The API would probably need to prompt the user.)

[arturjanc]

If isolated origins end up as a bit on an origin, like HSTS, maybe they should follow a similar model? That is:

• The bit would persist from regular -> incognito, but not the other way around.
• The bit would get cleared when "site data" is removed (otherwise it would allow setting a persistent fingerprint).
• A developer could clear it by setting a response header, e.g. Isolate-Me: disable (similar to Strict-Transport-Security: max-age=0).

[randomdross]

Consistency with HSTS seems good. Though this approach assumes HTTP response splitting isn't a thing. (And if the basic assumption with isolated origins is that XSS / XSRF is a threat, why not response splitting also?) So I do think there's still an argument to require user interaction, and a full reset that also clears cookies.

[arturjanc]

Well, even if there is a response splitting bug in an isolated application an attacker shouldn't be able to trigger it because the app will be... drumroll... isolated! So hopefully the navigation restrictions we're counting on to prevent the exploitation of XSS/XSRF can also help here?

Re: clearing cookies/state upon removing isolation, I don't feel strongly about it, though I'd be wary of requiring user interaction because the user generally won't understand what they're being asked to do anyway.

[randomdross]

Ahh yes. As long as the navigation manager prevents the navigation prior to the injected header being handled.

Re: clearing cookies/state and user interaction. I think this works if the API is something like: navigator.resetOrigin(). The prompt would be something along the lines of "Do you want to reset foo.com to factory default settings?"