W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [blink-dev] Proposal: Prefer secure origins for powerful new web platform features

From: Chris Palmer <palmer@google.com>
Date: Tue, 15 Jul 2014 11:11:18 -0700
Message-ID: <CAOuvq20No1GhyrGVBPodvwfjRyLD0qeUQ1SUXtaCMRZB6OLUJA@mail.gmail.com>
To: Peter Kasting <pkasting@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Fri, Jun 27, 2014 at 5:02 PM, Peter Kasting <pkasting@google.com> wrote:

>> "Particularly powerful" would mean ... generally any feature that
>> we would provide a user-settable permission or privilege to.
>
> I don't really understand this last clause.  Users of browsers can set many
> permissions, e.g. in Chrome the user can grant or deny sites the ability to
> use plugins, open popup windows, run Javascript, etc. I doubt you intended
> to suggest that a new feature with a similar scope to those should be
> restricted.

"""In systems with 2-part principals, it is crucial to strongly
authenticate both parts of the principal, not just one part.
(Otherwise, the system essentially degrades into a 1-part principal
system.)"""

That is, to grant (say) ServiceWorkers or even just (say) "can load
JavaScript" power to an unauthenticated origin means, effectively,
granting that power to any origin, in the presence of a network
attacker. And we can only assume that a network attacker is
essentially always present.

Now, some of those features (disabling pop-ups, disabling JS, et c.)
are just as much convenience features as they are security features.
To the extent that people want them for convenience, and/or to the
extent that people want to turn them off for all origins, it makes
sense to expose a choice.
Received on Tuesday, 15 July 2014 18:11:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC