Re: [MIX] Feedback on the private origin & self-signed certificate requirements from Mike West on 2014-09-16 (public-webappsec@w3.org from September 2014)

From: Mike West <mkwst@google.com>
Date: Tue, 16 Sep 2014 14:21:36 +0200
To: "Hill, Brad" <bhill@paypal.com>
Cc: "Chen, Zhigao" <zhigao.chen@sap.com>, Chris Bentzel <cbentzel@google.com>, Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=ft52EdYGbttxzS4v24qghcK+3Frqo6qS8pyZmOhEd1+Q@mail.gmail.com>

On Mon, Sep 15, 2014 at 5:59 PM, Hill, Brad <bhill@paypal.com> wrote:

> Mike,
>
>  I hate to recapitulate the extensions debate we had for CSP, but I wonder
> if you've thought about whether we ought to have some (non-normative)
> language about this kind of thing when the JS global environment is an
> extension?
>

Oh, my favourite argument!

I agree that we should leave room for browsers to do the things that they
want to do with extensions.

  The case of calling directly from the browser to another application's
> web server seems nefarious, but I know that it's a very common thing (at
> least in my technical circles, if not numerically in the store) for Chrome
> extensions to make use of localhost web servers or web sockets to connect
> web apps to other interesting things.
>

Yes. Chrome generally allows extensions to do things that we'd consider
dangerous to expose to the web at large.

> Or do you think that browser vendors will just make their own appropriate
> decisions on this without guidance, like how, e.g. Chrome extensions can
> talk in a limited fashion to USB devices but ordinary web pages cannot.
>

What would you suggest our guidance be? It's not clear to me from this
email what position you're taking on the question of public/private IPs. :)

-mike

Received on Tuesday, 16 September 2014 12:22:29 UTC