W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

[powerful-features] Use of the active document in defining a secure context is fishy

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Wed, 01 Jul 2015 11:05:40 -0400
Message-ID: <559401C4.9080008@mit.edu>
To: public-webappsec@w3.org
https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure 
step 2.1 sets "ancestors" to be "a list of Documents containing document 
and the active document in each of document’s ancestor browsing contexts".

Ignoring for the moment that a document has no concept of an ancestor 
browsing context, and assuming this meant to say "the active document in 
each of the ancestor browsing contexts of document's browsing context", 
I would like to think about the following situation:

Consider a website (call it W) loaded from http://a which has a subframe 
(call it X) loaded from https://b.  This subframe opens another window 
(call it Y) loaded from http://c.  This window has a subframe (call it 
Z) which is loaded from https://b (so X and Z are same-origin).

Now X grabs a reference to the window object of Z and then navigates Y 
to https://d.  Then it tries to do something with that window object 
that performs the check at 
https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure

Stepping through the algorithm, the TLS state of Z is authenticated, 
"documents" consists of documents loaded from https://b and https://d 
respectively, and the algorithm returns "Secure".  This seems a bit odd, 
since doing the same exact thing before navigating Y would have returned 
"Not Secure".

-Boris
Received on Wednesday, 1 July 2015 15:06:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC