W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Permission that spans browsing contexts

From: Mike West <mkwst@google.com>
Date: Thu, 30 Oct 2014 15:02:57 +0100
Message-ID: <CAKXHy=deSHc9ZtQ0ZijvLLu7JvVoiFOi8U-N0VmEUL4QKhPm2A@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
If there's value in splitting the powerful features bit out into a separate
spec, I'm happy to do it. It does feel a bit crammed into MIX just because
MIX was there. *shrug*

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Oct 30, 2014 at 1:56 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> The powerful features push is good. However, it does allow a TLS
> <iframe> to collaborate with non-TLS parent. This is how Netflix gets
> access to Web Crypto and therefore likely complains less about that
> than they complain about making EME a powerful feature.
>
> It might be a bit early, but it would be nice to start considering
> stricter models. Where the top-level browsing context needs to be TLS.
> Or where only the top-level browsing context gets access to a feature
> (proposed for e.g. first-party cookies).
>
> Since Make enjoys writing a lot of tiny specifications, perhaps we
> should have a "security permissions" document that other
> specifications can reference for the permission policy their feature
> enjoys and move the powerful feature stuff from Mixed Content there.
>
> Providing terminology for these various approaches hopefully makes the
> landscape and discourse somewhat less complicated.
>
>
> --
> https://annevankesteren.nl/
>
>
Received on Thursday, 30 October 2014 14:03:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC