Re: Definition of secure origin in MIX and POWER from Mike West on 2015-07-08 (public-webappsec@w3.org from July 2015)

From: Mike West <mkwst@google.com>
Date: Wed, 8 Jul 2015 16:48:43 +0200
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=d2gYRyYaENHN=3AF3g9RwD=CNibatpT8CoEFP_NroLgA@mail.gmail.com>

On Wed, Jul 8, 2015 at 4:43 PM, Francois Marier <francois@mozilla.com>
wrote:

> Is there a reason why the mixed content spec doesn't use the same
> definition of "potentially secure origin" as the powerful features spec?
>
> In particular, "http://localhost" is potentially secure in POWER but not
> in MIX.
>

`http://localhost` is potentially _trustworthy_ in "secure contexts" (
https://w3c.github.io/webappsec/specs/powerfulfeatures/#is-origin-trustworthy
).

I agree that the terms are similar. A few folks have suggested that MIX
shouldn't block localhost requests, which might even make sense. Given that
browsers have agreed on blocking these requests today, however, I'd suggest
that it's another question to be deferred to MIX2. :)

-mike

Received on Wednesday, 8 July 2015 14:49:31 UTC