- From: <bugzilla@jessica.w3.org>
- Date: Fri, 07 Nov 2014 18:22:37 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=27271
Ryan Sleevi <sleevi@google.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sleevi@google.com
--- Comment #2 from Ryan Sleevi <sleevi@google.com> ---
(In reply to Henri Sivonen from comment #0)
> (Start proposed spec text for a *normative* section)
>
> When the User Agent is limiting the support of the APIs described in this
> document or a specific Key System to secure origins, the secure origin
> requirement MUST apply not only to the origin calling the APIs described in
> this document but also to all the ancestor origins in the browsing context
> chain up to and including the top-level browsing context.
Would it be possible / should we incorporate the language from
https://w3c.github.io/webappsec/specs/mixedcontent/#may-document-use-powerful-features
, which makes it clearer as to the algorithm necessary to process this?
>
> Note: This ensures that a network attacker cannot work around the secure
> origin restriction by injecting an iframe with a attacker-hosted
> https-origin document into an http-origin victim page. Also, this makes it
> harder for a site to foil the intended privacy properties of the secure
> origin restriction by exposing EME messages to an insecure origin by using
> postMessage() to send data to an insecure-origin parent browsing context.
--
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Friday, 7 November 2014 18:22:41 UTC