On 7/1/15 4:43 AM, Anne van Kesteren wrote:
I hope that we can get somewhat better on this. It is rather useful to
have a somewhat large set of people have insight as to what goes into
Platform.
Sure. I'm just saying that I suspect people underestimate the number of
features we add, the granularity we add them at, and the number of "is
this a secure context?" checks we'd need to sprinkle like pixie dust to
implement the proposal as written.
Put another way, I think the presumption that everything should be
"secure-context-only unless proven otherwise" is not necessarily the
right one for all modules and I think that it might be worth talking to
some module owners about whether their particular module should have
that presumption, or the opposite one of "available-everywhere unless
requested otherwise".
https://w3c.github.io/webappsec/specs/powerfulfeatures/ is what we use
for service workers.
I assume you specifically mean
https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure ?
Ignoring for the moment the issues listed right there in the algorithm,
I just did a quick read resulting in the following mails:
https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0010.html
https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0011.html
https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0012.html
I didn't do a careful audit or anything; just the things that jumped out
at me immediately on reading the algorithm and trying to understand what
it's saying.
For our own internal usage, of course, we'd need to decide what
https://w3c.github.io/webappsec/specs/powerfulfeatures/#is-origin-trustworthy
step 5 should mean in our particular case. How we define that is
important to being able to evaluate what our policy should be here.
-Boris
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform