W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Is origin an authenticated origin?

From: Mike West <mkwst@google.com>
Date: Thu, 23 Oct 2014 14:00:06 +0200
Message-ID: <CAKXHy=dRGKErL5gFgaRO2y14hV37cshGQ0s224Lx4M+JSq-Utw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
Yeah. We can improve the wording of the latter definition. I think you can
safely s/An[sic] resource's/A/ without losing any meaning, though.

That said, it's a bit hand-wavy in general due to the "weak" and
"deprecated" bits. The _origin_ isn't really enough to make those
judgements, as they require the TLS handshake to complete so that the user
agent can evaluate the ciphers that were agreed-upon.

We should probably be talking about a different concept here, but it's not
clear to me what fits. Suggestions welcome.


Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Oct 23, 2014 at 1:43 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> When reviewing service workers I found this definition to be lacking.
> It talks about origins but then it refers
> https://w3c.github.io/webappsec/specs/mixedcontent/#insecure-origin
> which starts talking about resources. We don't know about resources in
> an algorithm that only takes an origin as parameter.
> --
> https://annevankesteren.nl/
Received on Thursday, 23 October 2014 12:00:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC