localhost + secure contexts [was Re: Call for Consensus: Require secure context for WebCrypto] from Harry Halpin on 2016-08-01 (public-webcrypto@w3.org from August 2016)

From: Harry Halpin <hhalpin@w3.org>
Date: Mon, 1 Aug 2016 14:44:42 +0200
To: public-webcrypto@w3.org, Mike West <mkwst@google.com>, Brad Hill <hillbrad@fb.com>
Message-ID: <7d3f05e7-eb13-9f84-b077-892127f6c394@w3.org>

On 07/15/2016 09:30 PM, Jason Proctor wrote:
> there's currently an exception made when the origin is localhost. i
> trust that exception will be allowed to remain?

I think that will be discussed on the call today.

@Mike - any opinion?
>
>
>
> On Thu, Jul 14, 2016 at 8:53 AM, Mark Watson <watsonm@netflix.com
> <mailto:watsonm@netflix.com>> wrote:
>
>     I believe the proposal on the call was to _require_ a secure origin
>     for access to WebCrypto methods. So, a browser which supported them on
>     an insecure context would be non-compliant.
>
>     This means that WebCrypto methods should fail if the origin is not
>     secure (or, more specifically, I've proposed in a PR 'if the incumbent
>     settings object is not a secure context').
>
>     An alternative might be that window.crypto.subtle is undefined if the
>     origin is not secure, but methods failing is what Chrome already does.
>
>     ...Mark
>
>     > On Jul 14, 2016, at 7:59 AM, Harry Halpin <hhalpin@w3.org
>     <mailto:hhalpin@w3.org>> wrote:
>     >
>     > Also, feel free to comment on Github rather than the list:
>     > https://github.com/w3c/webcrypto/issues/28
>     >
>     >> On 07/14/2016 04:35 PM, Harry Halpin wrote:
>     >> We're thinking of adding a sentence saying that secure origins
>     should be
>     >> required for the use of WebCrypto.
>     >>
>     >> In detail, we'd like to follow the definition of a secure
>     context given
>     >> here [1], although since that document is still an editor's
>     draft so we
>     >> will instead say that the "The top-level browsing context should be
>     >> secure when using the WebCrypto API."
>     >>
>     >> People may also want to see this document, which mentions how
>     the use of
>     >> WebCrypto within a secure origin can lead to l
>     >> https://w3c.github.io/webappsec-secure-contexts/#ancestors
>     >>
>     >> Since all browsers support WebCrypto using TLS, this should not
>     change
>     >> the test-suite or conformance requirements. As long as browsers
>     enable
>     >> the usage of WebCrypto in TLS, we will not consider them
>     non-conformant
>     >> if they offer the usage of WebCrypto outside TLS. However,
>     given it is
>     >> not best practice, this note will at least inform developers to
>     use TLS
>     >> properly when using WebCrypto, as otherwise (as we've seen), some
>     >> developers may believe enabling WebCrypto without TLS may give them
>     >> security properties it indeed does not.
>     >>
>     >> We'll have a two week period for discussion before making any
>     changes to
>     >> the spec in this regard.
>     >>
>     >>  cheers,
>     >>    harry
>     >>
>     >> [1] https://w3c.github.io/webappsec-secure-contexts
>     >
>     >
>
>

Received on Monday, 1 August 2016 12:44:50 UTC