W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

[powerful-features] The note about responsible documents and workers makes no sense

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Wed, 01 Jul 2015 10:41:58 -0400
Message-ID: <5593FC36.5010306@mit.edu>
To: public-webappsec@w3.org
https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure 
step 2 says "If settings has a responsible document document" and then 
has a note saying "Note: If settings maps to a Document (either 
directly, or as the responsible document of a Worker), we’ll walk all 
the way up the document’s ancestor chain to verify that the whole chain 
is secure."  But if you look at the actual spec for workers at 
https://html.spec.whatwg.org/multipage/workers.html#script-settings-for-workers 
you will see that for a worker settings object the responsible document 
is listed as "not applicable".

Also, 
https://html.spec.whatwg.org/multipage/webappapis.html#responsible-document 
clearly says "If the responsible event loop is not a browsing context 
event loop, then the environment settings object has no responsible 
document."  Interestingly, that text seems to be missing from the 
definition of "responsible document" at 
<http://www.w3.org/TR/html5/webappapis.html#responsible-document> (which 
this spec draft links to)... but that spec doesn't define workers at all 
anyway, so isn't much help here. http://www.w3.org/TR/workers/ doesn't 
define the settings object.  I'm going to ignore the W3C forks of this 
stuff for the moment, since it doesn't even define the primitives we're 
trying to work with.

Anyway, per the WHATWG spec the algorithm at 
https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure 
would check the TLS state of the worker and if that's authenticated 
return "Secure".  The note in step 2 just has no bearing on what the 
algorithm is doing.

-Boris
Received on Wednesday, 1 July 2015 14:42:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC