W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: [powerful-features] Use of the active document in defining a secure context is fishy

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 2 Jul 2015 10:45:58 +0200
Message-ID: <CADnb78jUynP4-j7t8PCqj7kLQssQf6oyW=CX0=Akpf+Ume4s5g@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, Yan Zhu <yzhu@yahoo-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jul 2, 2015 at 9:53 AM, Mike West <mkwst@google.com> wrote:
> On Thu, Jul 2, 2015 at 9:32 AM, Mike West <mkwst@google.com> wrote:
>> It's not clear to me how far we ought to go to prevent developers from
>> doing this kind of thing. My intuition is that walking the ancestor chain is
>> enough, and that popups are annoying enough for everyone involved to avoid.
>> What do you think?
> I now remember that I had a similar conversation with Ian a while back:
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=27190.

See also https://lists.w3.org/Archives/Public/public-webappsec/2015Jun/0067.html
about making secure contexts an actual guarantee by tying it to
origins. As long as we don't do that, things will leak. E.g. assume B
has a service worker. Now B is embedded in non-secure A. Does the
service worker run?

It's not entirely clear to me that doing this half-assed ancestor
check is buying us much in a world with workers, multiple windows,
etc. We'll defeat the Netflix workaround, but the moment Netflix adds
a shared worker they're golden again.

Received on Thursday, 2 July 2015 08:46:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC