W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Is origin an authenticated origin?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 23 Oct 2014 15:31:04 +0200
Message-ID: <CADnb78h5s-12Wb61t_DLhRf2y3kSMB-DknX+-YD69qzH2UJzXQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 23, 2014 at 2:00 PM, Mike West <mkwst@google.com> wrote:
> Yeah. We can improve the wording of the latter definition. I think you can
> safely s/An[sic] resource's/A/ without losing any meaning, though.

Except that the bits about TLS no longer make sense...

> That said, it's a bit hand-wavy in general due to the "weak" and
> "deprecated" bits. The _origin_ isn't really enough to make those
> judgements, as they require the TLS handshake to complete so that the user
> agent can evaluate the ciphers that were agreed-upon.
> We should probably be talking about a different concept here, but it's not
> clear to me what fits. Suggestions welcome.

As I said in another thread, at the point of creating various objects
and setting their origins, e.g. documents, we should probably add
additional data. It might make sense to study Chrome's implementation
to see what specifications we should modify (given that the
architecture is reasonable and not a hack).

Received on Thursday, 23 October 2014 13:31:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC