W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Proposal: Prefer secure origins for powerful new web platform features

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 27 Jun 2014 16:56:12 -0700
Message-ID: <CALx_OUAuJPsQ7uHg1RBxB9+x1Rf7hB8LcPytKmYi-TPKNeBiVA@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, dev-security@lists.mozilla.org
>> I think the inclusion of file:/// is somewhat problematic, since it is
>> not implied that the content arrived over a secure channel,
>
> Right. "But it's here now." Perhaps we should take file: off the list,
> perhaps we should find some way to tag files as having come from
> secure transport, or...

A special problem here is also how to scope the permission if ever
granted by the user. A permission granted to
file:///installed_app/bar.html probably shouldn't carry over to
file:///some/random/downloaded/thing.html.

> Right. mkwst, others, and tangentially me are working on tightening it
> up for reasons like this.
> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0214.html

Yeah, I was following this pretty closely, but didn't think it's
aiming to restrict the ability for file:/// to, say, load scripts from
http://bad.idea.com/nooo.js?

/mz
Received on Friday, 27 June 2014 23:56:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC