Re: [webappsec] Rechartering: force secure-only child browsing contexts from Ryan Sleevi on 2014-11-14 (public-webappsec@w3.org from November 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Thu, 13 Nov 2014 19:27:35 -0800
To: Brian Smith <brian@briansmith.org>
Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@fb.com>, Anne van Kesteren <annevk@annevk.nl>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CACvaWvZSpLDW97jxwUBHruXR0LiHRoe1u3UejCjTQYE41ApnVg@mail.gmail.com>

On Thu, Nov 13, 2014 at 7:11 PM, Brian Smith <brian@briansmith.org> wrote:

> Mike West <mkwst@google.com> wrote:
> > I think this is a pretty reasonable concept to add to MIX.
> >
> > It's not clear to me whether it should be the default behavior, or
> whether
> > it should be opted-into (similar to `sandbox`).
>
> Obviously, if it cannot be done by default, then it could be added as
> a sandbox directive. But, if we can avoid adding any new mechanism,
> then that is greatly preferable, for simplicity's sake.
>
> Cheers,
> Brian
>

So, that's a lot of hypotheticals. My gut is that they're correct - but we
need empirical data, either due to a browser implementing it ("Damn the
torpedoes!") or through telemetry/metrics.

Since I like security more than complexity, consider it a +1 to spec'ing
it, and then we revisit during whenever that point during the revised W3C
process where people actually implement and discover it might need to be
opt-in for some time before (eventually) becoming default.

Received on Friday, 14 November 2014 03:28:02 UTC