W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: [blink-dev] Proposal: Prefer secure origins for powerful new web platform features

From: Ryan Sleevi <rsleevi@chromium.org>
Date: Fri, 27 Jun 2014 17:35:44 -0700
Message-ID: <CACvaWvYj0N9dMNXdhGEMYXsprf4QWmDCov2zGRHz1BN7-7jyzA@mail.gmail.com>
To: Peter Kasting <pkasting@google.com>
Cc: blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, dev-security@lists.mozilla.org, "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>
On Jun 27, 2014 5:02 PM, "'Peter Kasting' via Security-dev" <
security-dev@chromium.org> wrote:
>
> On Fri, Jun 27, 2014 at 3:55 PM, 'Chris Palmer' via blink-dev <
blink-dev@chromium.org> wrote:
>>
>> "Particularly powerful" would mean ... generally any feature that
>>
>> we would provide a user-settable permission or privilege to.
>
>
> I don't really understand this last clause.  Users of browsers can set
many permissions, e.g. in Chrome the user can grant or deny sites the
ability to use plugins, open popup windows, run Javascript, etc. I doubt
you intended to suggest that a new feature with a similar scope to those
should be restricted.
>
> PK

There is, I think, a balance.

The examples you gave are examples where we default positive (allow), but
then allow the user to deny. In effect, all origins BUT X have access to a
permission.

However, for permissions where the assumption is default-deny (or prompt),
those are certainly in scope. That's because if you grant Origin X access,
and X is an origin delivered over an insecure transport, you've granted it
to all origins, in effect.

Would it make more sense to clarify that its in response to deny-by-default
permissions? geolocation, audio, video all come to mind as modern deny
features that would, ideally, have been restricted for the reasons listed -
though that horse has long since left the barn.
Received on Saturday, 28 June 2014 00:36:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC