Is secure context enough of a guarantee?

bholley pointed out that unless we make secure contexts
https://w3c.github.io/webappsec/specs/powerfulfeatures/ a new type of
origin, we're a bit leaky.

I guess we could see secure contexts as a way to make "HTTPS Web
Crypto Proxies" harder, but even that somewhat falls apart with shared
and service workers. Still, that might be okay.

Giving it real origin semantics does seem somewhat compelling. You
cannot enforce it for the network, but you could imagine different
buckets for shared workers, indexed DB, localStorage,
BroadcastChannel, etc. created within a secure context vs created
within HTTPS in an insecure context (an HTTP tab embedding an HTTPS
page).

Thoughts?


-- 
https://annevankesteren.nl/

Received on Thursday, 25 June 2015 23:38:56 UTC