- From: Chris Palmer <palmer@google.com>
- Date: Tue, 15 Jul 2014 11:11:18 -0700
- To: Peter Kasting <pkasting@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Fri, Jun 27, 2014 at 5:02 PM, Peter Kasting <pkasting@google.com> wrote: >> "Particularly powerful" would mean ... generally any feature that >> we would provide a user-settable permission or privilege to. > > I don't really understand this last clause. Users of browsers can set many > permissions, e.g. in Chrome the user can grant or deny sites the ability to > use plugins, open popup windows, run Javascript, etc. I doubt you intended > to suggest that a new feature with a similar scope to those should be > restricted. """In systems with 2-part principals, it is crucial to strongly authenticate both parts of the principal, not just one part. (Otherwise, the system essentially degrades into a 1-part principal system.)""" That is, to grant (say) ServiceWorkers or even just (say) "can load JavaScript" power to an unauthenticated origin means, effectively, granting that power to any origin, in the presence of a network attacker. And we can only assume that a network attacker is essentially always present. Now, some of those features (disabling pop-ups, disabling JS, et c.) are just as much convenience features as they are security features. To the extent that people want them for convenience, and/or to the extent that people want to turn them off for all origins, it makes sense to expose a choice.
Received on Tuesday, 15 July 2014 18:11:45 UTC