W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2017

Re: Presentation API in non secure contexts

From: mark a. foltz <mfoltz@google.com>
Date: Wed, 25 Jan 2017 10:16:04 -0800
Message-ID: <CALgg+HEd4KQ+PBQ0pQSPb4dS2r=dxOmAKDGJEAGZ2v=+pEsDdQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Frederik Braun <fbraun@mozilla.com>, Richard Barnes <rbarnes@mozilla.com>, Francois Daoust <fd@w3.org>, WebAppSec WG <public-webappsec@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "Kostiainen, Anssi" <anssi.kostiainen@intel.com>
On Mon, Jan 23, 2017 at 11:46 PM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Tue, Jan 24, 2017 at 8:29 AM, Frederik Braun <fbraun@mozilla.com>
> wrote:
> > Also, note that a user giving permission to a site in a non-secure
> > context will be surprised to note that this permission is leaking all
> > over the public wifis he's using.
>

Can you explain what you mean by "permission leaking" more specifically?
How does selecting a presentation display on one network "leak" to a
different network where the screen is no longer accessible?


> >
> > I wonder if a permission prompt on non-secure contexts is useful at all.
>
> I think doing such prompts on non-secure contexts devalues the overall
> security of prompts. Assuming that the user is carefully making the
> distinction and weighing their options is just not something we know
> to be true.
>

That's a fair point and weighs in favor of the restriction.

m.
Received on Wednesday, 25 January 2017 18:16:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC