W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: [MIX] Feedback on the private origin & self-signed certificate requirements

From: Hill, Brad <bhill@paypal.com>
Date: Tue, 16 Sep 2014 17:23:20 +0000
To: Mike West <mkwst@google.com>
CC: "Chen, Zhigao" <zhigao.chen@sap.com>, Chris Bentzel <cbentzel@google.com>, Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <96A9112C-28D4-4C65-83C5-937C9C9D4DDF@paypal.com>
I think that for multi-user and multiple-app-principal systems, the presence of a listening server on the loopback isn't enough to infer the user's permission to allow an arbitrary web site to access it.

Something like existing prompts for geolocation or user media seems like a sensible model to follow to not break existing applications that use this, but asking for local/private network access is definitely less informative for the user about what is actually being granted.

-Brad


On Sep 16, 2014, at 5:21 AM, Mike West <mkwst@google.com> wrote:

> On Mon, Sep 15, 2014 at 5:59 PM, Hill, Brad <bhill@paypal.com> wrote:
> Mike,
> 
>  I hate to recapitulate the extensions debate we had for CSP, but I wonder if you've thought about whether we ought to have some (non-normative) language about this kind of thing when the JS global environment is an extension?
> 
> Oh, my favourite argument!
> 
> I agree that we should leave room for browsers to do the things that they want to do with extensions.
> 
>   The case of calling directly from the browser to another application's web server seems nefarious, but I know that it's a very common thing (at least in my technical circles, if not numerically in the store) for Chrome extensions to make use of localhost web servers or web sockets to connect web apps to other interesting things.
> 
> Yes. Chrome generally allows extensions to do things that we'd consider dangerous to expose to the web at large.
>  
> Or do you think that browser vendors will just make their own appropriate decisions on this without guidance, like how, e.g. Chrome extensions can talk in a limited fashion to USB devices but ordinary web pages cannot.
> 
> What would you suggest our guidance be? It's not clear to me from this email what position you're taking on the question of public/private IPs. :)
> 
> -mike 
Received on Tuesday, 16 September 2014 17:23:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC