Re: localhost + secure contexts [was Re: Call for Consensus: Require secure context for WebCrypto] from Mike West on 2016-08-01 (public-webcrypto@w3.org from August 2016)

From: Mike West <mkwst@google.com>
Date: Mon, 1 Aug 2016 15:04:28 +0200
To: Harry Halpin <hhalpin@w3.org>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>, Brad Hill <hillbrad@fb.com>
Message-ID: <CAKXHy=fBVvt-WDitjvStWDvWmDnbFa+f+0w6P0f0K0ELJj-rXQ@mail.gmail.com>

https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
carves out `127.0.0.1/8` and `::1/128` over HTTP, as well as `file:` as
"secure". It does not carve out `http://localhost/`, as that resolves over
the network in a number of situations. That's discussed in
https://w3c.github.io/webappsec-secure-contexts/#localhost.

Does that answer the question?

-mike

On Mon, Aug 1, 2016 at 2:44 PM, Harry Halpin <hhalpin@w3.org> wrote:

>
>
> On 07/15/2016 09:30 PM, Jason Proctor wrote:
>
> there's currently an exception made when the origin is localhost. i trust
> that exception will be allowed to remain?
>
>
> I think that will be discussed on the call today.
>
> @Mike - any opinion?
>
>
>
>
> On Thu, Jul 14, 2016 at 8:53 AM, Mark Watson <watsonm@netflix.com> wrote:
>
>> I believe the proposal on the call was to _require_ a secure origin
>> for access to WebCrypto methods. So, a browser which supported them on
>> an insecure context would be non-compliant.
>>
>> This means that WebCrypto methods should fail if the origin is not
>> secure (or, more specifically, I've proposed in a PR 'if the incumbent
>> settings object is not a secure context').
>>
>> An alternative might be that window.crypto.subtle is undefined if the
>> origin is not secure, but methods failing is what Chrome already does.
>>
>> ...Mark
>>
>> > On Jul 14, 2016, at 7:59 AM, Harry Halpin <hhalpin@w3.org> wrote:
>> >
>> > Also, feel free to comment on Github rather than the list:
>> > https://github.com/w3c/webcrypto/issues/28
>> >
>> >> On 07/14/2016 04:35 PM, Harry Halpin wrote:
>> >> We're thinking of adding a sentence saying that secure origins should
>> be
>> >> required for the use of WebCrypto.
>> >>
>> >> In detail, we'd like to follow the definition of a secure context given
>> >> here [1], although since that document is still an editor's draft so we
>> >> will instead say that the "The top-level browsing context should be
>> >> secure when using the WebCrypto API."
>> >>
>> >> People may also want to see this document, which mentions how the use
>> of
>> >> WebCrypto within a secure origin can lead to l
>> >> https://w3c.github.io/webappsec-secure-contexts/#ancestors
>> >>
>> >> Since all browsers support WebCrypto using TLS, this should not change
>> >> the test-suite or conformance requirements. As long as browsers enable
>> >> the usage of WebCrypto in TLS, we will not consider them non-conformant
>> >> if they offer the usage of WebCrypto outside TLS. However, given it is
>> >> not best practice, this note will at least inform developers to use TLS
>> >> properly when using WebCrypto, as otherwise (as we've seen), some
>> >> developers may believe enabling WebCrypto without TLS may give them
>> >> security properties it indeed does not.
>> >>
>> >> We'll have a two week period for discussion before making any changes
>> to
>> >> the spec in this regard.
>> >>
>> >>  cheers,
>> >>    harry
>> >>
>> >> [1] https://w3c.github.io/webappsec-secure-contexts
>> >
>> >
>>
>>
>
>

Received on Monday, 1 August 2016 13:32:12 UTC