W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

[powerful-features] Some comments

From: Richard Barnes <rbarnes@mozilla.com>
Date: Wed, 14 Oct 2015 10:28:14 -0700
Message-ID: <CAOAcki-p5UJTgP+A4XLkiij9LSK3Fby43wWQx=N4kdZwYT2sUw@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Hey all,

I took a read through the Secure Contexts document.  Overall, it looks to
be in pretty good shape.  Thanks to the authors for pivoting a few times.

A few minor comments:

- It would be helpful to be a little more explicit about what the
properties are that a "secure context" is supposed to entail, in
particular, that the website is authentic and that interactions are
confidential.

- That discussion of security model would also help better motivate the
ancestor checking
* Notion of authenticity starts at the navigation level and carries down
the ancestor tree
* If a link in that chain is broken, then the authorization is broken
* For example: Supposed user intends to access to example.com
  * But an active attacker injects a script and a malicioius HTTPS iframe
  * The attacker can then use the HTTPS iframe to extract data
  * ... just as if the non-secure page had been allowed access

- In Section 5.1, you note that opening a popup can be a way to circumvent
these separations.  Is there a reason that we're not using window.opener
state in the same way as iframe parent state?  This still won't get us to
perfect isolation, but it would close off another major avenue.

- I find the discussion of sandboxed iframes in Section 3.1 confusing.  Is
the intent here simply for the same rules to apply to sandboxed iframes as
for regular iframes?

- The idea of adding a WebIDL notation to indicate that an object is
restricted to secure contexts seems like a good idea to me.  I don't really
care if that goes in this spec or in WebIDL directly.  (cf.
https://github.com/w3c/webappsec/issues/262)


Editorial nits:
- "minimum security bar" -> "minimum security level"
- "outlines threat models ... and outline normative requirements ..." ->
"describes threat models ... outlines normative requirements ..."
- Section 1.1 might be better titled "Summary"
- Also, having a 1.1 is unnecessary, since there's no 1.2.
- The link to "potentially secure origin" is broken
Received on Wednesday, 14 October 2015 17:28:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC