- From: Mike West <mkwst@google.com>
- Date: Thu, 23 Oct 2014 14:00:06 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAKXHy=dRGKErL5gFgaRO2y14hV37cshGQ0s224Lx4M+JSq-Utw@mail.gmail.com>
Yeah. We can improve the wording of the latter definition. I think you can safely s/An[sic] resource's/A/ without losing any meaning, though. That said, it's a bit hand-wavy in general due to the "weak" and "deprecated" bits. The _origin_ isn't really enough to make those judgements, as they require the TLS handshake to complete so that the user agent can evaluate the ciphers that were agreed-upon. We should probably be talking about a different concept here, but it's not clear to me what fits. Suggestions welcome. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Oct 23, 2014 at 1:43 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > When reviewing service workers I found this definition to be lacking. > It talks about origins but then it refers > https://w3c.github.io/webappsec/specs/mixedcontent/#insecure-origin > which starts talking about resources. We don't know about resources in > an algorithm that only takes an origin as parameter. > > > -- > https://annevankesteren.nl/ > >
Received on Thursday, 23 October 2014 12:00:55 UTC