W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] Language improvement for authenticated origin defintiion

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Tue, 18 Nov 2014 08:44:17 -0800
Message-ID: <CANh-dXmY8g-FQdh=Rn24+G9Le4Xv9ENGbbnZu6SLQO3WrAAvYA@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Nov 18, 2014 at 8:04 AM, Mark Watson <watsonm@netflix.com> wrote:

> All,
>
> I find the definition in terms of can X "use powerful features ?"
> problematic, because the term "powerful features" is undefined and also a
> matter of case-by-case judgement on the part of the responsible working
> groups.
>
> It may also be the case that different "powerful features" choose to use
> slightly different definitions. For example, Chrome's implementation of
> WebCrypto works only if the Document's origin is authenticated wheras it's
> been proposed that for EME any such restrictions be based on the origin of
> the top-level browsing context.
>

As the editor of one of the specs that intends to use the "powerful
features" definition (
https://webbluetoothcg.github.io/web-bluetooth/#device-access-is-powerful),
I'd much rather a security group define the restrictions for that, than
need to figure it out on my own. The specs with political fights over this
can include their own wording, but the rest of us should have a single
definition to point to.

One could also see this procedure as a kind of backwards *definition* of
> "powerful features", i.e. "Powerful Features are those features that may
> only be used if the following procedure returns "Allowed".", and then my
> comments are that it may not be only for this group to create such a
> definition.
>

My spec currently uses the old "authenticated environment" phrase because I
haven't updated it since the term changed, but I'll be fine saying that
"Bluetooth is a powerful feature; follow the restrictions defined over
there."

It would be better if the procedure were renamed in more concrete terms:
> "Is Document's origin authenticated ?" or "Is Document potentially trusted
> ?" etc.
>
> ...Mark
>
>
>
Received on Tuesday, 18 November 2014 16:45:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC