- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sun, 31 Aug 2014 19:02:09 +0200
- To: Jeffrey Yasskin <jyasskin@google.com>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Aug 28, 2014 at 6:14 PM, Jeffrey Yasskin <jyasskin@google.com> wrote: > Since an origin is just (uri-scheme, uri-host, uri-port)--effectively a > string--but insecurity and authentication in MIX change based on > whether "the user agent discovers only after performing a > TLS-handshake that the TLS-protection offered is either weak or > deprecated", I'm not sure it's appropriate to talk about authenticated > or insecure "origins". I think it's the _resource_ that becomes > insecure if it turns out to have been transferred over a TLS-deficient > connection. Origins are very much objects. They are either a tuple (sometimes comparisons are just done on the scheme), an identifier, or a pointer to another origin (called alias at the moment). Some engines might also have the certificate pinned to the origin so for TLS-origins an additional comparison is made other than scheme/host/port. > The "authenticated environment" term is nice, because it's easy to get > to an environment from any IDL description. >From the last time Ian weighed in it seems we need to move from environment to global object. But I haven't had the time to dig in that again. -- http://annevankesteren.nl/
Received on Sunday, 31 August 2014 17:02:36 UTC