W3C home > Mailing lists > Public > public-script-coord@w3.org > January to March 2016

Re: [SecureContext] - throw or hide

From: Jonathan Watt <jwatt@jwatt.org>
Date: Mon, 21 Mar 2016 13:28:46 +0000
To: Anne van Kesteren <annevk@annevk.nl>, Boris Zbarsky <bzbarsky@mit.edu>
Cc: Richard Barnes <rbarnes@mozilla.com>, Martin Thomson <mt@mozilla.com>, public-script-coord <public-script-coord@w3.org>
Message-ID: <56EFF70E.8030006@jwatt.org>
On 21/03/2016 13:04, Anne van Kesteren wrote:
> On Mon, Mar 21, 2016 at 1:57 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> On 3/21/16 4:53 AM, Anne van Kesteren wrote:
>>> I think it's mostly Richard and Martin that favor tying this to exposure.
>>
>> And me, for what it's worth.  I strongly believe we should not be exposing
>> attribute getters that are 100% guaranteed to throw when called.
>>
>>> I think that only works well for new APIs. We'd then still need
>>> something for legacy APIs we want to limit to secure contexts (maybe
>>> just prose).
>>
>> Why?   That is, why do you think it's more web-compatible to make an API
>> that's feature-detected as present throw than to make it feature-detect as
>> not present and hence trigger polyfills.
>>
>>> I tend to think we should just do whatever is least complicated
>>
>> And most likely to actually be shippable, yes.
>
> Are there many APIs under consideration that are attributes? I thought
> most were methods. I agree it makes sense to go this way if there's a
> lot of attributes.

I don't know if anyone has made up a comprehensive list of APIs, but I did try 
and make a list of spec's that refer to the secure context's spec (or mention it 
in some other way that needs updated, such as "powerful features"):

https://slightlyoff.github.io/ServiceWorker/spec/service_worker/
https://storage.spec.whatwg.org/
https://w3c.github.io/encrypted-media/
https://w3c.github.io/geofencing-api/
https://w3c.github.io/webappsec-mixed-content/
https://w3c.github.io/webappsec-subresource-integrity/
https://w3c.github.io/sensors/
https://w3c.github.io/web-nfc/
https://w3c.github.io/webappsec-clear-site-data/
https://w3c.github.io/webappsec-credential-management/
https://w3ctag.github.io/client-certificates/
https://webbluetoothcg.github.io/web-bluetooth/
https://wicg.github.io/BackgroundSync/
https://wicg.github.io/directory-upload/
https://wicg.github.io/paymentrequest/
https://wicg.github.io/web-payments-browser-api/
https://wicg.github.io/webusb/
https://www.w3.org/Submission/fido-web-api/
https://www.w3.org/TR/permissions/

If someone does go through and make up a list of shipped features that may end 
up being put behind [SecureContext] I'd be interested to see it too.

Jonathan
Received on Monday, 21 March 2016 13:29:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:25 UTC