Re: Defining secure-enough origins. from Mike West on 2014-08-22 (public-webappsec@w3.org from August 2014)

From: Mike West <mkwst@google.com>
Date: Fri, 22 Aug 2014 15:55:12 +0200
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAKXHy=f+y0LvTFM-40EXRp+1+ydVPq+zkJKGeRCTT2Cn3050gg@mail.gmail.com>

Yes. I should have pulled the "walk up the tree" language over for srcdoc.
I'll fix that.

I'm less convinced that breaking 'about:blank' is a bug, though I'm sure
it's widely used. Would it be that bad to force about:blank frames to ask
for data from their parent via postMessage?

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Fri, Aug 22, 2014 at 3:51 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 8/22/14, 5:37 AM, Mike West wrote:
>
>> 1. Sandboxed documents use the origin of their location in order to
>> determine authentication, rather than their actual origin. That is,
>> 'https://example.com/' would be considered "authenticated" even if
>> thrown into a sandbox which would give it a unique origin. This is in
>> line with bz's comments on [1] regarding "secure transport" vs "secure
>> origin".
>>
>
> I think this is broken as described.
>
> If I have an https://example.com page that has:
>
>   <iframe srcdoc=whatever sandbox>
>
> then the "location" will be about:srcdoc but the transport is secure.
>
> Similar for about:blank iframes and so forth.
>
> -Boris
>
>

Received on Friday, 22 August 2014 13:56:02 UTC