Re: "Requirements for Powerful Features" strawman. from Mark Watson on 2014-11-21 (public-webappsec@w3.org from November 2014)

From: Mark Watson <watsonm@netflix.com>
Date: Fri, 21 Nov 2014 08:28:35 -0800
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@fb.com>
Message-ID: <CAEnTvdBYybWCFUi4mXwr=ggBuyaES1dMEobk5gkpeKJVy7Nskw@mail.gmail.com>

On Fri, Nov 21, 2014 at 8:12 AM, Mike West <mkwst@google.com> wrote:

> On Fri, Nov 21, 2014 at 4:47 PM, Mark Watson <watsonm@netflix.com> wrote:
>>
>> The algorithm "May document use powerful features" pre-judges the kind of
>> questions I asked at the end of my mail below, whilst the discussions of
>> the definitions are still in progress (and particularly the definition of
>> "powerful features").
>>
>
> Ah, you're talking about the algorithm names. Now I understand the
> concern, thank you for explaining. I've changed these in
> https://github.com/w3c/webappsec/commit/7872ee53dbe6fb1e1b92e219c4ff24e9172ff553
> to "Is |document| a sufficiently secure context?" and "Is |environment
> settings object| a sufficiently secure context?" respectively.
>
>
>> I think it might be hard to come up with a universally agreed definition
>> of "Powerful features", so by decoupling things you have option (2) in the
>> meantime.
>>
>
> I'm more optimistic on this point than you seem to be, but I totally agree
> with the thrust of the critique: the document currently separates the
> outline of "powerful features"[1] and the requirements for secure
> contexts[2] in a way that I hope now addresses your concerns.
>

Yes, thank you.

One further comment on item (4) in [1]. Is exposing a temporary identifier
really a sufficient condition for "powerful" ? Wouldn't that catch
IndexedDB, since a site can clearly install a temporary identifier there ?
We're working on normative definitions in EME, but I think there is only a
concern if an identifier is not easily clearable, is shared across origins
or actually encodes some information rather than being an opaque temporary
identifier. I think you should at least say "Some implementations of" EME,
since several UAs have worked / are working very hard to eliminate
problematic identifiers here.

...Mark





>
> [1]:
> https://w3c.github.io/webappsec/specs/powerfulfeatures/#is-feature-powerful
> [2]: https://w3c.github.io/webappsec/specs/powerfulfeatures/#algorithms
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>

Received on Friday, 21 November 2014 16:29:12 UTC