W3C home > Mailing lists > Public > public-geolocation@w3.org > November 2014

Re: Requiring Authenticated Origins for Geolocation API's: Open Call for Comments (deadline - February 1, 2015)

From: Mike West <mkwst@google.com>
Date: Thu, 6 Nov 2014 22:48:39 +0100
Message-ID: <CAKXHy=d7ief7xhoxGgxaquAnHOzyDKpaLUASG3y5ytJZYjQYdg@mail.gmail.com>
To: Mounir Lamouri <mounir@lamouri.fr>
Cc: public-geolocation@w3.org
On Thu, Nov 6, 2014 at 10:21 PM, Mounir Lamouri <mounir@lamouri.fr> wrote:
>
> I'm confused, what's the difference between a secure origin and an
> authenticated origin? I would assume that a secure origin had a valid
> certificate that was certified by a trusted source. Is it that easy to
> get such certificate?
>

The currently published WD of MIX defines "authenticated origin" (
http://www.w3.org/TR/mixed-content/#is-origin-authenticated), which
includes things like loopback interfaces, `chrome-extension://`, `app://`,
and `file://` URLs. The name was meant to somehow encompass those non-HTTPS
URLs on which we know folks would want to test these powerful APIs. It
isn't a great name, but it's what we came up with at the time.

The current ED of MIX (which I expect to push to LCWD shortly) punts on the
naming question entirely in favor of verbosity:
https://w3c.github.io/webappsec/specs/mixedcontent/#powerful-features
Hopefully that's simpler.

Also, an issue with using the geolocation api over insecure origins (and
> especially http) is that you might end up passing in clear trough the
> wire some personal and identifiable information, which obviously, isn't
> a great idea.
>

This.

Note especially that in the presence of an active network attacker (e.g.
your local coffee shop), allowing _any_ unencrypted and unauthenticated
origin that sends data over the network access to an API is the same as
allowing every origin access to that API (because of injected, attacker
controlled IFrames).

Personally, I think it's a terrible shame that geolocation APIs weren't
restricted to encrypted and authenticated contexts when originally defined.
I'm happy to see discussion revisiting that decision.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 6 November 2014 21:49:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:51:10 UTC