Re: Defining secure-enough origins. from Jeffrey Yasskin on 2014-08-28 (public-webappsec@w3.org from August 2014)

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Thu, 28 Aug 2014 09:14:13 -0700
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CANh-dXk5QpEVCN_BUWr+a=2XPBa8zVYKak0oFK6rT-=Mv4qkLg@mail.gmail.com>

Since an origin is just (uri-scheme, uri-host, uri-port)--effectively a
string--but insecurity and authentication in MIX change based on
whether "the user agent discovers only after performing a
TLS-handshake that the TLS-protection offered is either weak or
deprecated", I'm not sure it's appropriate to talk about authenticated
or insecure "origins". I think it's the _resource_ that becomes
insecure if it turns out to have been transferred over a TLS-deficient
connection.

The "authenticated environment" term is nice, because it's easy to get
to an environment from any IDL description.

On Fri, Aug 22, 2014 at 2:37 AM, Mike West <mkwst@google.com> wrote:
> Splitting this off from the other thread for clarity: given that there are
> APIs (ServiceWorker for example) that wish to restrict themselves to some
> "secure" subset of the web, we need to define some set of rules that UAs can
> agree upon (see [1], [2], and [3]). MIX seems like the right place to do
> that.
>
> I've put up a more formalized version of the rules at [4] as a strawman, and
> renamed the concept "authenticated origin/environment":
> https://w3c.github.io/webappsec/specs/mixedcontent/#authenticated-origin
>
> There are two differences between the wiki page and the spec strawman:
>
> 1. Sandboxed documents use the origin of their location in order to
> determine authentication, rather than their actual origin. That is,
> 'https://example.com/' would be considered "authenticated" even if thrown
> into a sandbox which would give it a unique origin. This is in line with
> bz's comments on [1] regarding "secure transport" vs "secure origin".
>
> 2. 'blob:' and 'filesystem:' URLs created in the context of an authenticated
> origin would themselves be considered authenticated.
>
> WDYT?
>
> [1]: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25972
> [2]: https://github.com/slightlyoff/ServiceWorker/issues/385
> [3]: https://github.com/w3c/webappsec/issues/41
> [4]:
> http://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Thursday, 28 August 2014 16:15:00 UTC