Call for Consensus: Require secure context for WebCrypto

We're thinking of adding a sentence saying that secure origins should be
required for the use of WebCrypto.

In detail, we'd like to follow the definition of a secure context given
here [1], although since that document is still an editor's draft so we
will instead say that the "The top-level browsing context should be
secure when using the WebCrypto API."

People may also want to see this document, which mentions how the use of
WebCrypto within a secure origin can lead to l
https://w3c.github.io/webappsec-secure-contexts/#ancestors

Since all browsers support WebCrypto using TLS, this should not change
the test-suite or conformance requirements. As long as browsers enable
the usage of WebCrypto in TLS, we will not consider them non-conformant
if they offer the usage of WebCrypto outside TLS. However, given it is
not best practice, this note will at least inform developers to use TLS
properly when using WebCrypto, as otherwise (as we've seen), some
developers may believe enabling WebCrypto without TLS may give them
security properties it indeed does not.

We'll have a two week period for discussion before making any changes to
the spec in this regard.

  cheers,
    harry

[1] https://w3c.github.io/webappsec-secure-contexts

Received on Thursday, 14 July 2016 14:35:19 UTC