- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 30 Oct 2014 13:56:46 +0100
- To: WebAppSec WG <public-webappsec@w3.org>
The powerful features push is good. However, it does allow a TLS <iframe> to collaborate with non-TLS parent. This is how Netflix gets access to Web Crypto and therefore likely complains less about that than they complain about making EME a powerful feature. It might be a bit early, but it would be nice to start considering stricter models. Where the top-level browsing context needs to be TLS. Or where only the top-level browsing context gets access to a feature (proposed for e.g. first-party cookies). Since Make enjoys writing a lot of tiny specifications, perhaps we should have a "security permissions" document that other specifications can reference for the permission policy their feature enjoys and move the powerful feature stuff from Mixed Content there. Providing terminology for these various approaches hopefully makes the landscape and discourse somewhat less complicated. -- https://annevankesteren.nl/
Received on Thursday, 30 October 2014 12:57:13 UTC