Re: [powerful features] Secure Contexts and Framed Documents

On Wed, Jan 13, 2016 at 6:09 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Jan 13, 2016 at 5:59 PM, Rich Tibbett <rich.tibbett@gmail.com>
> wrote:
> > In addition, no 'escape hatch' for an iframe that does everything right
> > other than having 'bad' parents has been discussed AFAICT. Could a
> > potentially non-HTTPS parent opt-in an HTTPS-based iframe to access
> certain
> > powerful features somehow?
>
> No, this is the specific scenario we are trying to avoid. I.e.,
> Netflix worked around the HTTPS restriction on to crypto API by using
> an <iframe> and postMessage().
>

At the point of obtaining access to sensor APIs there is no network access.
What am I missing here?


>
> > Alternatively, could an HTTPS iframe be suitably
> > sandboxed from its non-secure parent(s) so it can continue to gain
> access to
> > powerful APIs?
>
> No postMessage()? What did you have in mind?
>

Why could browsers not ship a properly secure sandbox and why should that
not be proposed in this group / mailing list?


>
>
> > Could it be a further permission option we obtain from users,
> > potentially at the same time they authorize a powerful feature on our own
> > site, so they can then also access it in an iframe on a third-party site?
>
> This doesn't seem like something you can reasonably ask users.
>

You may be right but it was worth mentioning as a possibility here, right?


>
>
> > Really I'm asking what we should do if/when these framed document
> > restrictions ship. We have no control over the industry content
> distribution
> > networks we need to use and simply find ourselves in a difficult
> situation
> > we need to resolve in any way other than 'it is impossible'.
>
> Recommend folks to adopt HTTPS.
>

So impossible then unless the whole web adopts HTTPS before this ships?