W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Privileged context features and JavaScript

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 17 Apr 2015 07:16:44 +0200
Message-ID: <CADnb78jensEw8i=DgfuQkRS14RvP+VMFnGYTjq3LHk+8J9nTUQ@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>, public-script-coord <public-script-coord@w3.org>, WebApps WG <public-webapps@w3.org>
Soon there will be a number of features that are restricted to
privileged contexts. Most prominent one being service workers.

Within user agents the prevailing pattern is that privileged APIs are
not available in unprivileged contexts. However, both Firefox and
Chrome currently expose the service worker API everywhere, it just
happens to reject.

Should we change this and simply not expose the API in unprivileged
contexts? E.g. through IDL syntax? That way we don't have to carefully
secure all access points.

Received on Friday, 17 April 2015 05:17:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC