W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Is origin an authenticated origin?

From: Mike West <mkwst@google.com>
Date: Tue, 28 Oct 2014 17:09:18 +0100
Message-ID: <CAKXHy=cmB_LAcJLvGm3M+7POFAPgCr1b6oa5jVXFmB8u2K_+zw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
That works for me, and is more or less exactly what I'd have suggested.

That said, one nit: Chrome has no need to distinguish between "deprecated"
and "weak", but other browsers might.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Oct 28, 2014 at 5:05 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Oct 23, 2014 at 5:06 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> > So I guess whether something is weakly authenticated should first be
> > exposed on a response. And then propagated by the navigate and run a
> > worker algorithms somehow for environment settings objects.
>
> I would prefer not using http://www.w3.org/TR/wsc-ui/ as a building
> block since it's not actively maintained. I think for now I'll just
> define a "TLS state" field which is "protected", "deprecated", or
> "none" and leave it up to implementers to pick between "protected" and
> "deprecated" (that seems to be current best practice :/) and then
> Mixed Content and co can build upon that.
>
>
> --
> https://annevankesteren.nl/
>
Received on Tuesday, 28 October 2014 16:10:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC