- From: Jeffrey Walton <noloader@gmail.com>
- Date: Wed, 1 Jul 2015 19:17:02 -0400
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Anyway, per the WHATWG spec the algorithm at > https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure > would check the TLS state of the worker and if that's authenticated return > "Secure". The note in step 2 just has no bearing on what the algorithm is > doing. Hmmm... Authentication is not authorization. What happens when one of those interception proxies MitM's the connection? The authentication assurances that are supposed to exist don't even exist in this case. They were disgorged due to the security model... Jeff
Received on Wednesday, 1 July 2015 23:17:30 UTC