On Tue, Jun 3, 2014 at 8:17 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > > Again, > https://w3c.github.io/webappsec/specs/mixedcontent/#categorize-environment > step 1 says if the environment is TLS-protected, you return true. And > you are not checking the parent in step 2 (which would not be reached > if the current environment was secure), you check the top. Ah, now I see your point. Sorry I missed it. I think shortcutting when the current document is TLS-protected is reasonable: that is, if I'm requesting `http://b.com` from `https://a.com`, I don't have to look at the parent browsing context to know that I'm working in a secure context. That's step 1. If the current context is not TLS-protected (perhaps it's a 'data:' URL), I need to look at my parent. But if I'm nested in multiple 'data:' URLs then checking top might also be insufficient. Hrm. Rather than trying to be clever about optimizing the spec's algorithm for the minimum number of checks, I think I'll just change it to walk the ancestor tree. If implementers have good ideas about how to optimize that for speed, they're free to do so. https://github.com/w3c/webappsec/commit/1dddda66a39b61e28805fe61c49a74ef904fc78a WDYT? -mikeReceived on Tuesday, 3 June 2014 08:36:14 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC