On 6/2/14 5:35 AM, Mike West wrote:
>
>
> "Is document a secure browsing context?" This algorithm does not seem
> to work how you want it to work. It seems first you want to get the
> list of inclusive ancestors of a given document's associated browsing
> context and then verify that for all of them the associated document
> is TLS-protected. And only at that point do you want to return true.
>
>
> Checking the top-level resource is currently all that Chrome does.
> Hopefully Tanvi can weigh in on Mozilla's implementation.
>
> That said, I don't think we need to traverse the entire chain if each
> resource load checks its parent. The child frames should then be
> transitively secure.
Mozilla's implementation checks the parent rather than top. Similar to
this example from the spec -
|http://a.com| frames |https://b.com|, which loads |http://evil.com|. In
this case, the insecure request to |evil.com| will be blocked, as
|b.com| was loaded over a secure connection, even though |a.com| was not.
As Mike says, we do not need to go up through the whole chain, as child
frames are transitively secure.