W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: [blink-dev] Re: Proposal: Prefer secure origins for powerful new web platform features

From: Peter Kasting <pkasting@google.com>
Date: Fri, 27 Jun 2014 17:04:02 -0700
Message-ID: <CAAHOzFCHEF9WQBxSzs-RbsBL04Ut6BCzM6kqm8mntMz9j6hxZw@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Chris Palmer <palmer@google.com>, Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, dev-security@lists.mozilla.org
On Fri, Jun 27, 2014 at 4:56 PM, Michal Zalewski <lcamtuf@coredump.cx>
wrote:

> >> I think the inclusion of file:/// is somewhat problematic, since it is
> >> not implied that the content arrived over a secure channel,
> >
> > Right. "But it's here now." Perhaps we should take file: off the list,
> > perhaps we should find some way to tag files as having come from
> > secure transport, or...
>
> A special problem here is also how to scope the permission if ever
> granted by the user. A permission granted to
> file:///installed_app/bar.html probably shouldn't carry over to
> file:///some/random/downloaded/thing.html.


I believe in Chrome, at least for content settings and similar
origin-scoped permissions, file: URLs are treated as if the entire file
path is the origin, so every file's permissions are unique to it.

I haven't checked this against the code.

PK
Received on Saturday, 28 June 2014 00:04:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC