- From: Jonathan Watt <jwatt@jwatt.org>
- Date: Mon, 21 Mar 2016 13:28:46 +0000
- To: Anne van Kesteren <annevk@annevk.nl>, Boris Zbarsky <bzbarsky@mit.edu>
- Cc: Richard Barnes <rbarnes@mozilla.com>, Martin Thomson <mt@mozilla.com>, public-script-coord <public-script-coord@w3.org>
On 21/03/2016 13:04, Anne van Kesteren wrote: > On Mon, Mar 21, 2016 at 1:57 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: >> On 3/21/16 4:53 AM, Anne van Kesteren wrote: >>> I think it's mostly Richard and Martin that favor tying this to exposure. >> >> And me, for what it's worth. I strongly believe we should not be exposing >> attribute getters that are 100% guaranteed to throw when called. >> >>> I think that only works well for new APIs. We'd then still need >>> something for legacy APIs we want to limit to secure contexts (maybe >>> just prose). >> >> Why? That is, why do you think it's more web-compatible to make an API >> that's feature-detected as present throw than to make it feature-detect as >> not present and hence trigger polyfills. >> >>> I tend to think we should just do whatever is least complicated >> >> And most likely to actually be shippable, yes. > > Are there many APIs under consideration that are attributes? I thought > most were methods. I agree it makes sense to go this way if there's a > lot of attributes. I don't know if anyone has made up a comprehensive list of APIs, but I did try and make a list of spec's that refer to the secure context's spec (or mention it in some other way that needs updated, such as "powerful features"): https://slightlyoff.github.io/ServiceWorker/spec/service_worker/ https://storage.spec.whatwg.org/ https://w3c.github.io/encrypted-media/ https://w3c.github.io/geofencing-api/ https://w3c.github.io/webappsec-mixed-content/ https://w3c.github.io/webappsec-subresource-integrity/ https://w3c.github.io/sensors/ https://w3c.github.io/web-nfc/ https://w3c.github.io/webappsec-clear-site-data/ https://w3c.github.io/webappsec-credential-management/ https://w3ctag.github.io/client-certificates/ https://webbluetoothcg.github.io/web-bluetooth/ https://wicg.github.io/BackgroundSync/ https://wicg.github.io/directory-upload/ https://wicg.github.io/paymentrequest/ https://wicg.github.io/web-payments-browser-api/ https://wicg.github.io/webusb/ https://www.w3.org/Submission/fido-web-api/ https://www.w3.org/TR/permissions/ If someone does go through and make up a list of shipped features that may end up being put behind [SecureContext] I'd be interested to see it too. Jonathan
Received on Monday, 21 March 2016 13:29:18 UTC