W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: CfC: Publish a FPWD of "Requirements for Powerful Features"

From: Brad Hill <hillbrad@fb.com>
Date: Mon, 24 Nov 2014 20:51:10 +0000
To: Mike West <mkwst@google.com>
CC: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D098D976.1632%hillbrad@fb.com>
Maybe this is just a bug, but see Chrome Canary 41 behavior in the following test:  (blob Worker, location.origin)

https://webappsec-test.info/~bhill2/sandbox/iframe-sbx-as.html


"Mixed Content: The page at 'https://webappsec-test.info/~bhill2/sandbox/iframe-sbx-as.html' was loaded over HTTPS, but requested an insecure Worker script 'blob:null/ed0a1ba3-bf5a-4f18-9e38-dad7b5b0a9cd'. This request has been blocked; the content must be served over HTTPS."

Want to be sure it is clear that a blob created by a secure origin is itself secure by the algorithm.


From: Mike West <mkwst@google.com<mailto:mkwst@google.com>>
Date: Monday, November 24, 2014 at 12:17 PM
To: Bradley Hill <hillbrad@fb.com<mailto:hillbrad@fb.com>>
Cc: Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>>, "public-webappsec@w3.org<mailto:public-webappsec@w3.org>" <public-webappsec@w3.org<mailto:public-webappsec@w3.org>>
Subject: Re: CfC: Publish a FPWD of "Requirements for Powerful Features"

On Mon, Nov 24, 2014 at 9:00 PM, Brad Hill <hillbrad@fb.com<mailto:hillbrad@fb.com>> wrote:
I've made a pull request to formalize the tone a bit.  Pending that or
similar updates by the editor, I support the publication of this draft.

Thank you! I accepted the pull, cleaned up a few bits, and republished: http://w3c.github.io/webappsec/specs/powerfulfeatures/<https://urldefense.proofpoint.com/v1/url?u=http://w3c.github.io/webappsec/specs/powerfulfeatures/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=5FkMl7wFS24UINdZ%2B9LSjSc87wn5hEiUPGzuI4yyTVg%3D%0A&s=33765fc299b1e0fe72347bcddaefaed2551c597ab17641b54124b0134614c9db>

Regarding the issue #2 you added, 'blob:' has an origin, as does 'data:'. What clarification do you think is necessary in the algorithm in order to resolve the issue?

-mike

--
Mike West <mkwst@google.com<mailto:mkwst@google.com>>
Google+: https://mkw.st/+<https://urldefense.proofpoint.com/v1/url?u=https://mkw.st/%2B&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=5FkMl7wFS24UINdZ%2B9LSjSc87wn5hEiUPGzuI4yyTVg%3D%0A&s=783434c648cce42124e3c188b7435f3bf4055346b3b89cc4b66195e4be103d8b>, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 24 November 2014 20:51:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC