W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: Definition of secure origin in MIX and POWER

From: Mike West <mkwst@google.com>
Date: Wed, 8 Jul 2015 16:48:43 +0200
Message-ID: <CAKXHy=d2gYRyYaENHN=3AF3g9RwD=CNibatpT8CoEFP_NroLgA@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 8, 2015 at 4:43 PM, Francois Marier <francois@mozilla.com>
wrote:

> Is there a reason why the mixed content spec doesn't use the same
> definition of "potentially secure origin" as the powerful features spec?
>
> In particular, "http://localhost" is potentially secure in POWER but not
> in MIX.
>

`http://localhost` is potentially _trustworthy_ in "secure contexts" (
https://w3c.github.io/webappsec/specs/powerfulfeatures/#is-origin-trustworthy
).

I agree that the terms are similar. A few folks have suggested that MIX
shouldn't block localhost requests, which might even make sense. Given that
browsers have agreed on blocking these requests today, however, I'd suggest
that it's another question to be deferred to MIX2. :)

-mike
Received on Wednesday, 8 July 2015 14:49:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC