W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Is secure context enough of a guarantee?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 25 Jun 2015 16:38:25 -0700
Message-ID: <CADnb78htQaB2410BQUWPbjBS4h391ZsT8mHBFBoCMGZVGgeOkA@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Bobby Holley <bholley@mozilla.com>
bholley pointed out that unless we make secure contexts
https://w3c.github.io/webappsec/specs/powerfulfeatures/ a new type of
origin, we're a bit leaky.

I guess we could see secure contexts as a way to make "HTTPS Web
Crypto Proxies" harder, but even that somewhat falls apart with shared
and service workers. Still, that might be okay.

Giving it real origin semantics does seem somewhat compelling. You
cannot enforce it for the network, but you could imagine different
buckets for shared workers, indexed DB, localStorage,
BroadcastChannel, etc. created within a secure context vs created
within HTTPS in an insecure context (an HTTP tab embedding an HTTPS
page).

Thoughts?


-- 
https://annevankesteren.nl/
Received on Thursday, 25 June 2015 23:38:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC