W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: POWER: Combining document and settings object checks.

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Thu, 29 Jan 2015 08:11:49 -0800
Message-ID: <CANh-dX=Wrrtb3Zuw8=H+AKbLp4S+jR0Geg3-fBjtqS8qduwGwQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
In another spec, I'd like to write:

If the <a href="http://www.w3.org/TR/html5/#incumbent-settings-object">incumbent
settings object</a> is <a href="
https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-sufficiently-secure">not
a sufficiently secure context</a>, then reject _promise_ with a
SecurityError.

Is there a reason to use the extra verbosity suggested in
https://w3c.github.io/webappsec/specs/powerfulfeatures/#new?

Thanks,
Jeffrey (or Jeff :)

On Thu, Jan 29, 2015 at 3:07 AM, Mike West <mkwst@google.com> wrote:

> Jeff noted in https://github.com/w3c/webappsec/issues/160 that it was
> more than confusing to have two checks in POWER, one for Documents, and one
> for settings objects. Since we can get to the one from the other, we should
> have one check to avoid boilerplate in every other spec.
>
> I've combined the checks into
> https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-sufficiently-secure.
> I'd appreciate feedback regarding the new text's sanity. :)
>
> Thanks!
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
Received on Thursday, 29 January 2015 16:12:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC