- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Wed, 01 Jul 2015 11:05:40 -0400
- To: public-webappsec@w3.org
https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure step 2.1 sets "ancestors" to be "a list of Documents containing document and the active document in each of document’s ancestor browsing contexts". Ignoring for the moment that a document has no concept of an ancestor browsing context, and assuming this meant to say "the active document in each of the ancestor browsing contexts of document's browsing context", I would like to think about the following situation: Consider a website (call it W) loaded from http://a which has a subframe (call it X) loaded from https://b. This subframe opens another window (call it Y) loaded from http://c. This window has a subframe (call it Z) which is loaded from https://b (so X and Z are same-origin). Now X grabs a reference to the window object of Z and then navigates Y to https://d. Then it tries to do something with that window object that performs the check at https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure Stepping through the algorithm, the TLS state of Z is authenticated, "documents" consists of documents loaded from https://b and https://d respectively, and the algorithm returns "Secure". This seems a bit odd, since doing the same exact thing before navigating Y would have returned "Not Secure". -Boris
Received on Wednesday, 1 July 2015 15:06:10 UTC