W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

[powerful features] Secure Contexts and Framed Documents

From: Rich Tibbett <rich.tibbett@gmail.com>
Date: Wed, 13 Jan 2016 17:59:01 +0100
Message-ID: <CALmeN0dY14ne4rR9YJH5=LDng=GieBEBmD_j48xrq17fvaO+jg@mail.gmail.com>
To: public-webappsec@w3.org
Hi Web App Sec,

I've been reviewing the Privileged Contexts spec and came across the
following 'Framed Documents' restriction that I hoped we could discuss
further within the context of our specific use case:
https://w3c.github.io/webappsec-secure-contexts/#example-c52936fc (Example
#8).

I work for a startup that relies almost entirely on being able to provide
embeddable content to third-parties based on top of the powerful APIs
considered within scope of this document. Embedding our web content through
third-parties via iframes also happens to be the industry-standard way our
content gets distributed. With the whole web not yet using HTTPS in 2016 we
end up having little control over whether our content ends up being
embedded on HTTP or HTTPS websites. Since, in this scenario, we don't get
to choose our parents we would simply be unable to enforce the ancestor
origin restrictions that are being proposed here and thus we will lose
access to the powerful APIs on which our business foundations are built.

In addition, no 'escape hatch' for an iframe that does everything right
other than having 'bad' parents has been discussed AFAICT. Could a
potentially non-HTTPS parent opt-in an HTTPS-based iframe to access certain
powerful features somehow? Alternatively, could an HTTPS iframe be suitably
sandboxed from its non-secure parent(s) so it can continue to gain access
to powerful APIs? Could it be a further permission option we obtain from
users, potentially at the same time they authorize a powerful feature on
our own site, so they can then also access it in an iframe on a third-party
site?

Really I'm asking what we should do if/when these framed document
restrictions ship. We have no control over the industry content
distribution networks we need to use and simply find ourselves in a
difficult situation we need to resolve in any way other than 'it is
impossible'.

I look forward to your input and feedback on this.

br/ Rich
Received on Wednesday, 13 January 2016 16:59:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC