- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 25 Jun 2015 16:38:25 -0700
- To: WebAppSec WG <public-webappsec@w3.org>
- Cc: Bobby Holley <bholley@mozilla.com>
bholley pointed out that unless we make secure contexts https://w3c.github.io/webappsec/specs/powerfulfeatures/ a new type of origin, we're a bit leaky. I guess we could see secure contexts as a way to make "HTTPS Web Crypto Proxies" harder, but even that somewhat falls apart with shared and service workers. Still, that might be okay. Giving it real origin semantics does seem somewhat compelling. You cannot enforce it for the network, but you could imagine different buckets for shared workers, indexed DB, localStorage, BroadcastChannel, etc. created within a secure context vs created within HTTPS in an insecure context (an HTTP tab embedding an HTTPS page). Thoughts? -- https://annevankesteren.nl/
Received on Thursday, 25 June 2015 23:38:56 UTC