- From: Richard Barnes <rbarnes@mozilla.com>
- Date: Wed, 14 Oct 2015 10:28:14 -0700
- To: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAOAcki-p5UJTgP+A4XLkiij9LSK3Fby43wWQx=N4kdZwYT2sUw@mail.gmail.com>
Hey all, I took a read through the Secure Contexts document. Overall, it looks to be in pretty good shape. Thanks to the authors for pivoting a few times. A few minor comments: - It would be helpful to be a little more explicit about what the properties are that a "secure context" is supposed to entail, in particular, that the website is authentic and that interactions are confidential. - That discussion of security model would also help better motivate the ancestor checking * Notion of authenticity starts at the navigation level and carries down the ancestor tree * If a link in that chain is broken, then the authorization is broken * For example: Supposed user intends to access to example.com * But an active attacker injects a script and a malicioius HTTPS iframe * The attacker can then use the HTTPS iframe to extract data * ... just as if the non-secure page had been allowed access - In Section 5.1, you note that opening a popup can be a way to circumvent these separations. Is there a reason that we're not using window.opener state in the same way as iframe parent state? This still won't get us to perfect isolation, but it would close off another major avenue. - I find the discussion of sandboxed iframes in Section 3.1 confusing. Is the intent here simply for the same rules to apply to sandboxed iframes as for regular iframes? - The idea of adding a WebIDL notation to indicate that an object is restricted to secure contexts seems like a good idea to me. I don't really care if that goes in this spec or in WebIDL directly. (cf. https://github.com/w3c/webappsec/issues/262) Editorial nits: - "minimum security bar" -> "minimum security level" - "outlines threat models ... and outline normative requirements ..." -> "describes threat models ... outlines normative requirements ..." - Section 1.1 might be better titled "Summary" - Also, having a 1.1 is unnecessary, since there's no 1.2. - The link to "potentially secure origin" is broken
Received on Wednesday, 14 October 2015 17:28:42 UTC