- From: Harry Halpin <hhalpin@w3.org>
- Date: Thu, 14 Jul 2016 16:58:29 +0200
- To: public-webcrypto@w3.org
Also, feel free to comment on Github rather than the list: https://github.com/w3c/webcrypto/issues/28 On 07/14/2016 04:35 PM, Harry Halpin wrote: > We're thinking of adding a sentence saying that secure origins should be > required for the use of WebCrypto. > > In detail, we'd like to follow the definition of a secure context given > here [1], although since that document is still an editor's draft so we > will instead say that the "The top-level browsing context should be > secure when using the WebCrypto API." > > People may also want to see this document, which mentions how the use of > WebCrypto within a secure origin can lead to l > https://w3c.github.io/webappsec-secure-contexts/#ancestors > > Since all browsers support WebCrypto using TLS, this should not change > the test-suite or conformance requirements. As long as browsers enable > the usage of WebCrypto in TLS, we will not consider them non-conformant > if they offer the usage of WebCrypto outside TLS. However, given it is > not best practice, this note will at least inform developers to use TLS > properly when using WebCrypto, as otherwise (as we've seen), some > developers may believe enabling WebCrypto without TLS may give them > security properties it indeed does not. > > We'll have a two week period for discussion before making any changes to > the spec in this regard. > > cheers, > harry > > [1] https://w3c.github.io/webappsec-secure-contexts > >
Received on Thursday, 14 July 2016 14:58:36 UTC