- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Wed, 01 Jul 2015 10:41:58 -0400
- To: public-webappsec@w3.org
https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure step 2 says "If settings has a responsible document document" and then has a note saying "Note: If settings maps to a Document (either directly, or as the responsible document of a Worker), we’ll walk all the way up the document’s ancestor chain to verify that the whole chain is secure." But if you look at the actual spec for workers at https://html.spec.whatwg.org/multipage/workers.html#script-settings-for-workers you will see that for a worker settings object the responsible document is listed as "not applicable". Also, https://html.spec.whatwg.org/multipage/webappapis.html#responsible-document clearly says "If the responsible event loop is not a browsing context event loop, then the environment settings object has no responsible document." Interestingly, that text seems to be missing from the definition of "responsible document" at <http://www.w3.org/TR/html5/webappapis.html#responsible-document> (which this spec draft links to)... but that spec doesn't define workers at all anyway, so isn't much help here. http://www.w3.org/TR/workers/ doesn't define the settings object. I'm going to ignore the W3C forks of this stuff for the moment, since it doesn't even define the primitives we're trying to work with. Anyway, per the WHATWG spec the algorithm at https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure would check the TLS state of the worker and if that's authenticated return "Secure". The note in step 2 just has no bearing on what the algorithm is doing. -Boris
Received on Wednesday, 1 July 2015 14:42:27 UTC