W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Is origin an authenticated origin?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 23 Oct 2014 15:55:07 +0200
Message-ID: <CADnb78gMsaYJ7SKuRq5ic-gz8HNzEM1ab3n90q9T+whTsx7P6Q@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 23, 2014 at 3:41 PM, Mike West <mkwst@google.com> wrote:
> Chrome will need to implement something in Q1 as part of the SHA-1
> deprecation, as outlined here:
> http://googleonlinesecurity.blogspot.de/2014/09/gradually-sunsetting-sha-1.html.

That talks about UI. It doesn't say that this will affect an origin's
ability to use crypto (for instance).

Anyway, if we need something like this I would a) kind of like to
migrate/alias document's origin and a worker's origin to/on an
environment settings object. Then I'd also like it that when an
environment settings object is created we put additional data about
unauthenticated, weakly authenticated, vs authenticated on it.

And then instead of an origin check I guess I would expect an "is
authenticated environment settings object" check. (It can remain an
origin check I suppose if we stick the additional fields on an origin
so it becomes more than just a tuple.)

> Firefox might be in a similar position?

I don't know.

Received on Thursday, 23 October 2014 13:55:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC