W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Permission that spans browsing contexts

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 30 Oct 2014 13:56:46 +0100
Message-ID: <CADnb78iEz+dZRvRzSAz7gKFhsDde25gWSxPAMHoKiMyG6VoG5A@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
The powerful features push is good. However, it does allow a TLS
<iframe> to collaborate with non-TLS parent. This is how Netflix gets
access to Web Crypto and therefore likely complains less about that
than they complain about making EME a powerful feature.

It might be a bit early, but it would be nice to start considering
stricter models. Where the top-level browsing context needs to be TLS.
Or where only the top-level browsing context gets access to a feature
(proposed for e.g. first-party cookies).

Since Make enjoys writing a lot of tiny specifications, perhaps we
should have a "security permissions" document that other
specifications can reference for the permission policy their feature
enjoys and move the powerful feature stuff from Mixed Content there.

Providing terminology for these various approaches hopefully makes the
landscape and discourse somewhat less complicated.

Received on Thursday, 30 October 2014 12:57:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC