- From: Mike West <mkwst@google.com>
- Date: Thu, 15 Jan 2015 10:00:46 +0100
- To: David Walp <David.Walp@microsoft.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=ftSKdJJSnUQgwVtM2=6gv12WzgBQS8zu9XHSWpbzGMqA@mail.gmail.com>
On Thu, Jan 15, 2015 at 1:27 AM, David Walp <David.Walp@microsoft.com> wrote: > We understand your arguments. We already live with these issues every > day. Being able to handle the intranet different from the internet is > important to a number of customers. Provided we not consider out of > compliance for how we handle the intranet, we are fine with the spec as it > is. > There is nothing in the spec that distinguishes between private and public networks (and, in fact, such a distinction <http://www.w3.org/TR/2014/WD-mixed-content-20140916/#private-origin> was actively removed from the spec <https://github.com/w3c/webappsec/commit/802cc2959b928d3ef0e35a974bff81ce161ae25e>), and I don't believe adding an intranet carveout to the spec is a good idea. >>> 7) Section 5.1, Example 5 - "even though the framed data URL was not". > >>> We believe the text "even though the framed data URL was not" is > incomplete. Our opinion is that data URL should be treated the same as the > web page that contains > >>> the data URL. > > >>As a.com was loaded over a secure connection, the framed data URL > inherited the secure context of its parent and hence loading from evil.com > is blocked. Make sense? > > >It's not clear that we're disagreeing about the conclusions here. :) Do > you still think the wording needs to be changed? > > We think more explicit here would be helpful. > Does https://github.com/w3c/webappsec/commit/537aa36231ba52455917b9a0a81deb6b6ad475d6 address your concern? -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 15 January 2015 09:01:34 UTC