W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Defining secure-enough origins.

From: Chris Palmer <palmer@google.com>
Date: Tue, 2 Sep 2014 14:15:48 -0700
Message-ID: <CAOuvq21HAPHhzROnd4O3Svtvp7hQOuzUG8u2ZZZ=NCgufsbi0Q@mail.gmail.com>
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On Thu, Aug 28, 2014 at 9:14 AM, Jeffrey Yasskin <jyasskin@google.com> wrote:

> Since an origin is just (uri-scheme, uri-host, uri-port)--effectively a
> string--but insecurity and authentication in MIX change based on
> whether "the user agent discovers only after performing a
> TLS-handshake that the TLS-protection offered is either weak or
> deprecated", I'm not sure it's appropriate to talk about authenticated
> or insecure "origins". I think it's the _resource_ that becomes
> insecure if it turns out to have been transferred over a TLS-deficient
> connection.

But if that resource was code, it can poison the whole origin on an
on-going basis; if the resource was passive content, it can still
cause a lot of trouble (e.g. mixed image content changing the meaning
of the UI for an otherwise secure origin).

So, the boundary between the terms "origin", "resource", and "total
history of resources downloaded and rendered/executed in the context
of an origin" are fuzzy...
Received on Tuesday, 2 September 2014 21:16:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC