[webrtc-pc] RTCCertificate security boundary (#2343) from Anne van Kesteren via GitHub on 2019-11-01 (public-webrtc@w3.org from November 2019)

From: Anne van Kesteren via GitHub <sysbot+gh@w3.org>
Date: Fri, 01 Nov 2019 13:08:33 +0000
To: public-webrtc@w3.org
Message-ID: <issues.opened-516102218-1572613712-sysbot+gh@w3.org>

annevk has just created a new issue for https://github.com/w3c/webrtc-pc:

== RTCCertificate security boundary ==
In https://github.com/whatwg/html/issues/4939 I've been exploring infrastructure for objects which we'd like to limit to the same-origin. The only real security boundary we have for objects is agents and their container, agent clusters, and they are per site+scheme (so contain multiple origins).

That is, while we could make deserializing X fail on B if serializing X happened on A, we cannot necessarily prevent A from sharing X with B, if A and B are same-site and same-scheme.

This means, that if step 4.2 of https://w3c.github.io/webrtc-pc/#constructor is crucial for some reason not related to the ability for B to "read" X, we cannot really simplify RTCCertificate much. `[Serializable=SameOrigin]` might still be good to signal intent, but it would not allow removing `[[Origin]]` as A can still share X with B using `document.domain`.

(I should note that in general it's a little weird for objects to carry around an origin as messaging is supposed to be about object capabilities, but I think I can see how for a certificate that might be different.)

cc @jan-ivar 

Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/2343 using your GitHub account

Received on Friday, 1 November 2019 13:08:35 UTC