New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add [SecureContext] attribute to all interfaces #402

Merged
merged 1 commit into from Jul 7, 2018

Conversation

Projects
None yet
2 participants
@reillyeon
Contributor

reillyeon commented Jul 6, 2018

This is a followup to #401 and adds the [SecureContext] attribute to all remaining interfaces.


Preview | Diff

@reillyeon reillyeon requested a review from jyasskin Jul 6, 2018

@jyasskin

Thanks!

@@ -5150,6 +5165,7 @@ spec: promises-guide-1
</p>
<pre class="idl">
[SecureContext]

This comment has been minimized.

@jyasskin

jyasskin Jul 6, 2018

Member

This is probably the right thing to do, but note that it'll break anyone using this to just calculate Bluetooth UUIDs even if they're not trying to communicate with BT devices. So, this one probably deserves the I2S.

This comment has been minimized.

@reillyeon

reillyeon Jul 7, 2018

Contributor

I hit something similar when putting together a change to the WebUSB spec since I noticed that we're exposing some interface constructors in insecure contexts there too. In this case it's the USBPermissionStatus interface since even though WebUSB isn't allowed in insecure contexts the permissions API still could be called from one (it will just return "denied").

I'm okay with keeping these utility functions available in all contexts as it doesn't provide any security benefit to restrict them.

index.bs Outdated
(<a idl lt="Bluetooth">requestDevice</a>).
To help ensure that only the entity the user approved for access actually
has access, this specification requires that only <a>secure contexts</a>
can access the <a idl>Bluetooth</a> interface.

This comment has been minimized.

@jyasskin

jyasskin Jul 6, 2018

Member

I think "can access Bluetooth devices" is still the basic requirement. We then block access to all Bluetooth-related interfaces to improve the developer experience.

This comment has been minimized.

@reillyeon

reillyeon Jul 7, 2018

Contributor

Ok, just removing the link to requestDevice then.

Add [SecureContext] attribute to all interfaces
This is a followup to #401 and adds the [SecureContext] attribute to all
remaining interfaces.

@reillyeon reillyeon merged commit 77f05ac into WebBluetoothCG:master Jul 7, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment