Re: Presentation API in non secure contexts from mark a. foltz on 2017-01-25 (public-web-security@w3.org from January 2017)

From: mark a. foltz <mfoltz@google.com>
Date: Wed, 25 Jan 2017 10:16:04 -0800
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Frederik Braun <fbraun@mozilla.com>, Richard Barnes <rbarnes@mozilla.com>, Francois Daoust <fd@w3.org>, WebAppSec WG <public-webappsec@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "Kostiainen, Anssi" <anssi.kostiainen@intel.com>
Message-ID: <CALgg+HEd4KQ+PBQ0pQSPb4dS2r=dxOmAKDGJEAGZ2v=+pEsDdQ@mail.gmail.com>

On Mon, Jan 23, 2017 at 11:46 PM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Tue, Jan 24, 2017 at 8:29 AM, Frederik Braun <fbraun@mozilla.com>
> wrote:
> > Also, note that a user giving permission to a site in a non-secure
> > context will be surprised to note that this permission is leaking all
> > over the public wifis he's using.
>

Can you explain what you mean by "permission leaking" more specifically?
How does selecting a presentation display on one network "leak" to a
different network where the screen is no longer accessible?

> >
> > I wonder if a permission prompt on non-secure contexts is useful at all.
>
> I think doing such prompts on non-secure contexts devalues the overall
> security of prompts. Assuming that the user is carefully making the
> distinction and weighing their options is just not something we know
> to be true.
>

That's a fair point and weighs in favor of the restriction.

m.

Received on Wednesday, 25 January 2017 18:16:58 UTC