- From: Mike West <mkwst@google.com>
- Date: Thu, 6 Nov 2014 22:48:39 +0100
- To: Mounir Lamouri <mounir@lamouri.fr>
- Cc: public-geolocation@w3.org
- Message-ID: <CAKXHy=d7ief7xhoxGgxaquAnHOzyDKpaLUASG3y5ytJZYjQYdg@mail.gmail.com>
On Thu, Nov 6, 2014 at 10:21 PM, Mounir Lamouri <mounir@lamouri.fr> wrote: > > I'm confused, what's the difference between a secure origin and an > authenticated origin? I would assume that a secure origin had a valid > certificate that was certified by a trusted source. Is it that easy to > get such certificate? > The currently published WD of MIX defines "authenticated origin" ( http://www.w3.org/TR/mixed-content/#is-origin-authenticated), which includes things like loopback interfaces, `chrome-extension://`, `app://`, and `file://` URLs. The name was meant to somehow encompass those non-HTTPS URLs on which we know folks would want to test these powerful APIs. It isn't a great name, but it's what we came up with at the time. The current ED of MIX (which I expect to push to LCWD shortly) punts on the naming question entirely in favor of verbosity: https://w3c.github.io/webappsec/specs/mixedcontent/#powerful-features Hopefully that's simpler. Also, an issue with using the geolocation api over insecure origins (and > especially http) is that you might end up passing in clear trough the > wire some personal and identifiable information, which obviously, isn't > a great idea. > This. Note especially that in the presence of an active network attacker (e.g. your local coffee shop), allowing _any_ unencrypted and unauthenticated origin that sends data over the network access to an API is the same as allowing every origin access to that API (because of injected, attacker controlled IFrames). Personally, I think it's a terrible shame that geolocation APIs weren't restricted to encrypted and authenticated contexts when originally defined. I'm happy to see discussion revisiting that decision. -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 6 November 2014 21:49:29 UTC