W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: Proposal: Prefer secure origins for powerful new web platform features

From: Chris Palmer <palmer@google.com>
Date: Fri, 27 Jun 2014 17:02:53 -0700
Message-ID: <CAOuvq22PsNPt3jk1hEsfujE-J5nZ4mg1AN+CViem1K_V4bJ1Nw@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, dev-security@lists.mozilla.org
On Fri, Jun 27, 2014 at 4:56 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:

> A special problem here is also how to scope the permission if ever
> granted by the user. A permission granted to
> file:///installed_app/bar.html probably shouldn't carry over to
> file:///some/random/downloaded/thing.html.

Right. Permissions are (I hope always) granted and persisted per
origin; and, in Chrome at least, each file pathname is a distinct
origin.

>> Right. mkwst, others, and tangentially me are working on tightening it
>> up for reasons like this.
>> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0214.html
>
> Yeah, I was following this pretty closely, but didn't think it's
> aiming to restrict the ability for file:/// to, say, load scripts from
> http://bad.idea.com/nooo.js?

I think you are right about that.
Received on Saturday, 28 June 2014 00:03:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC