W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: [powerful-features] The note about responsible documents and workers makes no sense

From: Jeffrey Walton <noloader@gmail.com>
Date: Wed, 1 Jul 2015 19:17:02 -0400
Message-ID: <CAH8yC8mpw2CkKwddUZDc8oED9rRzRO6ApWC+ACfPXeeev9euSg@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Anyway, per the WHATWG spec the algorithm at
> https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure
> would check the TLS state of the worker and if that's authenticated return
> "Secure".  The note in step 2 just has no bearing on what the algorithm is
> doing.

Hmmm... Authentication is not authorization.

What happens when one of those interception proxies MitM's the
connection? The authentication assurances that are supposed to exist
don't even exist in this case. They were disgorged due to the security
model...

Jeff
Received on Wednesday, 1 July 2015 23:17:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC