Emily StarkDec 19, 2022

New blog post: The death of the line of death

The "line of death" is a security boundary in web browsers about separating trustworthy browser UI from untrusted web content; I think the concept is waning in utility over time.

https://emilymstark.com/2022/12/18/death-to-the-line-of-death.html

The death of the line of death

The line of death, as Eric Lawrence explained in a classic blog post, is the idea that an application should separate trustworthy UI from untrusted content. The typical example is in a web browser, where untrustworthy web content appears below the browser toolbar UI. Trustworthy content provided by the web browser must appear either in the browser toolbar, or anchored to it or overlapping it. If this separation is maintained, then untrusted content can’t spoof the trustworthy browser UI to trick or attack the user.

Emily M. Stark
Show threadAlex RussellDec 19, 2022

@estark having had to teach this concept to a fair few folks, I can say that I both dislike it's currently filmsy justification, but also that I'm not thrilled with the idea of removing it.

A better path forward seems like it would be grounded in something like the TLS interstitial research of a decade ago (which I know you were hoping to find for this piece).

Until then, "death to" seems premature.

Show threadEmily StarkDec 19, 2022

@slightlyoff I’m not advocating for removing it in the post, just arguing that it’s becoming increasingly irrelevant (though not yet dispensable) and was never all that useful to begin with

(yes, the title is clickbaity but it was just too catchy not to use 🤪)

Show threadAlex RussellDec 19, 2022

@estark we had debates about it relative to Edge's sidebar too, as you might anticipate and on the back of that experience, can guarantee you that your post will be used to argue that we don't need to abide by it any more, even though that's not what you're arguing.

*sigh*

Show threadEmily StarkDec 19, 2022
@slightlyoff well, I mean, apparently both Edge and Chrome’s security teams decided that we don’t need to abide by it, soooo…
Show threadEmily Stark
@slightlyoff if you do see people citing it in that way, I recommend pointing to the section that says “There are some attacks in which the line of death concept is really the best we know how to do. It’s fundamentally impossible to have a secure application environment without some trustworthy UI.”
Dec 19, 2022 at 6:07amWeb
Show threadAlex RussellDec 19, 2022
@estark sure sure...I'm just saying...it's going to happen. It's a meeting I will have to be in and pre-emptively wince at. Can I invite you instead? ;-)
Show threadEmily StarkDec 19, 2022

@slightlyoff absolutely! seriously — the whole reason I wrote this is because I want to have conversations with feature teams that are more nuanced than “you must obey this arcane security rule that obviously doesn’t translate to real users or modern browsers”

(I think I will retitle though to “the death of the line of death”. captures the facts of the situation more and sounds less like I’m on some kind of crusade)

Show threadAlex RussellDec 19, 2022
@estark cheers! May take you up on this if/when there's a situation where I can.
Show threadEmily StarkDec 19, 2022
@slightlyoff Btw a related piece of documentation you might find helpful is https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/security-considerations-for-browser-ui.md#prefer-existing-ui_ux-patterns_avoid-introducing-new-ones (particularly relevant to side panel) and other guidelines on that page
Chromium Docs - Security Considerations for Browser UI