[remote-playback] Restrict the API to Secure Contexts or discuss the decision in Security Considerations from Jeffrey Yasskin via GitHub on 2017-09-25 (public-secondscreen@w3.org from September 2017)

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Mon, 25 Sep 2017 17:31:18 +0000
To: public-secondscreen@w3.org
Message-ID: <issues.opened-260355687-1506360665-sysbot+gh@w3.org>

jyasskin has just created a new issue for https://github.com/w3c/remote-playback:

== Restrict the API to Secure Contexts or discuss the decision in Security Considerations ==
The web platform restricts most new features, and especially ones that involve asking the user a question, to [Secure Contexts](https://w3c.github.io/webappsec-secure-contexts/#integration-idl). It looks like Remote Playback [does](https://w3c.github.io/remote-playback/#user-interface-guidelines) intend to show the user an origin, which means it ought to only be available when that origin is known to be the source of the content.

If there are [reasons](https://groups.google.com/a/chromium.org/d/topic/blink-dev/lumj0lVdtHA/discussion) to provide the API to non-secure contexts anyway, they should show up in the Security Considerations section so that security reviewers know to think about them.

Please view or discuss this issue at https://github.com/w3c/remote-playback/issues/107 using your GitHub account

Received on Monday, 25 September 2017 17:31:10 UTC