W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: CfC: Publish a FPWD of "Requirements for Powerful Features"

From: Mike West <mkwst@google.com>
Date: Tue, 25 Nov 2014 09:26:07 +0100
Message-ID: <CAKXHy=eLPsR7bdtAwqxiK=1Q9q_1PK=TdxY8wPNOUBgUYyr3mQ@mail.gmail.com>
To: Brad Hill <hillbrad@fb.com>
Cc: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 24, 2014 at 9:51 PM, Brad Hill <hillbrad@fb.com> wrote:

>  Maybe this is just a bug, but see Chrome Canary 41 behavior in the
> following test:  (blob Worker, location.origin)
>
>  https://webappsec-test.info/~bhill2/sandbox/iframe-sbx-as.html
>
>  "Mixed Content: The page at '
> https://webappsec-test.info/~bhill2/sandbox/iframe-sbx-as.html' was
> loaded over HTTPS, but requested an insecure Worker script
> 'blob:null/ed0a1ba3-bf5a-4f18-9e38-dad7b5b0a9cd'. This request has been
> blocked; the content must be served over HTTPS."
>
>  Want to be sure it is clear that a blob created by a secure origin is
> itself secure by the algorithm.
>

Hrm. The origin of the blob is `null`, as the frame it's created in is
sandboxed without the `allow-same-origin` flag. If we didn't block it as
mixed content (which, I agree, seems odd), we'd block it because it wasn't
same-origin with the page (see step #5 of
https://html.spec.whatwg.org/multipage/workers.html#dom-worker, and note
that unique origins aren't same-origin with anything, including themselves).

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 25 November 2014 08:26:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC