Re: localhost + secure contexts [was Re: Call for Consensus: Require secure context for WebCrypto] from Jason Proctor on 2016-08-03 (public-webcrypto@w3.org from August 2016)

From: Jason Proctor <jason@mono.hm>
Date: Wed, 3 Aug 2016 11:01:46 -0700
To: Harry Halpin <hhalpin@w3.org>
Cc: public-webcrypto@w3.org, Mike West <mkwst@google.com>, Brad Hill <hillbrad@fb.com>
Message-ID: <CALQanAKiYksr3kHf1u_BCmCfUQgNZXL5WKroQFUJ0WCo8LV9Yg@mail.gmail.com>

On Mon, Aug 1, 2016 at 5:44 AM, Harry Halpin <hhalpin@w3.org> wrote:

>
>
> On 07/15/2016 09:30 PM, Jason Proctor wrote:
>
> there's currently an exception made when the origin is localhost. i trust
> that exception will be allowed to remain?
>
>
> I think that will be discussed on the call today.
>
> @Mike - any opinion?
>


i notice also that there is an exception made for WebCrypto applications
embedded in applications, eg, loading from the assets bundle via a file:
URL on Android. given that these environments are reasonably secure, i'd
like to see that exception maintained too.







>
>
>
> On Thu, Jul 14, 2016 at 8:53 AM, Mark Watson <watsonm@netflix.com> wrote:
>
>> I believe the proposal on the call was to _require_ a secure origin
>> for access to WebCrypto methods. So, a browser which supported them on
>> an insecure context would be non-compliant.
>>
>> This means that WebCrypto methods should fail if the origin is not
>> secure (or, more specifically, I've proposed in a PR 'if the incumbent
>> settings object is not a secure context').
>>
>> An alternative might be that window.crypto.subtle is undefined if the
>> origin is not secure, but methods failing is what Chrome already does.
>>
>> ...Mark
>>
>> > On Jul 14, 2016, at 7:59 AM, Harry Halpin <hhalpin@w3.org> wrote:
>> >
>> > Also, feel free to comment on Github rather than the list:
>> > https://github.com/w3c/webcrypto/issues/28
>> >
>> >> On 07/14/2016 04:35 PM, Harry Halpin wrote:
>> >> We're thinking of adding a sentence saying that secure origins should
>> be
>> >> required for the use of WebCrypto.
>> >>
>> >> In detail, we'd like to follow the definition of a secure context given
>> >> here [1], although since that document is still an editor's draft so we
>> >> will instead say that the "The top-level browsing context should be
>> >> secure when using the WebCrypto API."
>> >>
>> >> People may also want to see this document, which mentions how the use
>> of
>> >> WebCrypto within a secure origin can lead to l
>> >> https://w3c.github.io/webappsec-secure-contexts/#ancestors
>> >>
>> >> Since all browsers support WebCrypto using TLS, this should not change
>> >> the test-suite or conformance requirements. As long as browsers enable
>> >> the usage of WebCrypto in TLS, we will not consider them non-conformant
>> >> if they offer the usage of WebCrypto outside TLS. However, given it is
>> >> not best practice, this note will at least inform developers to use TLS
>> >> properly when using WebCrypto, as otherwise (as we've seen), some
>> >> developers may believe enabling WebCrypto without TLS may give them
>> >> security properties it indeed does not.
>> >>
>> >> We'll have a two week period for discussion before making any changes
>> to
>> >> the spec in this regard.
>> >>
>> >>  cheers,
>> >>    harry
>> >>
>> >> [1] https://w3c.github.io/webappsec-secure-contexts
>> >
>> >
>>
>>
>
>

Received on Wednesday, 3 August 2016 18:02:18 UTC