W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: [MIX] Feedback on the private origin & self-signed certificate requirements

From: Mike West <mkwst@google.com>
Date: Tue, 16 Sep 2014 14:21:36 +0200
Message-ID: <CAKXHy=ft52EdYGbttxzS4v24qghcK+3Frqo6qS8pyZmOhEd1+Q@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal.com>
Cc: "Chen, Zhigao" <zhigao.chen@sap.com>, Chris Bentzel <cbentzel@google.com>, Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Sep 15, 2014 at 5:59 PM, Hill, Brad <bhill@paypal.com> wrote:

> Mike,
>  I hate to recapitulate the extensions debate we had for CSP, but I wonder
> if you've thought about whether we ought to have some (non-normative)
> language about this kind of thing when the JS global environment is an
> extension?

Oh, my favourite argument!

I agree that we should leave room for browsers to do the things that they
want to do with extensions.

  The case of calling directly from the browser to another application's
> web server seems nefarious, but I know that it's a very common thing (at
> least in my technical circles, if not numerically in the store) for Chrome
> extensions to make use of localhost web servers or web sockets to connect
> web apps to other interesting things.

Yes. Chrome generally allows extensions to do things that we'd consider
dangerous to expose to the web at large.

> Or do you think that browser vendors will just make their own appropriate
> decisions on this without guidance, like how, e.g. Chrome extensions can
> talk in a limited fashion to USB devices but ordinary web pages cannot.

What would you suggest our guidance be? It's not clear to me from this
email what position you're taking on the question of public/private IPs. :)

Received on Tuesday, 16 September 2014 12:22:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC