-
Notifications
You must be signed in to change notification settings - Fork 4
/
369.txt
234 lines (173 loc) · 10.1 KB
/
369.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
* TLS 必須の機能
[25] 次の機能は、原則として[[素のHTTP]] では利用できず、 [[HTTPS]]
でなければならないようになっています。
[FIG(list short)[
- [[Service Workers]]
- [[HTTP/2]]
- [[DeviceOrientation Event]]
- [[Brotli]]
]FIG]
* 歴史
[1] [CITE@en[MIX: Introduce a definiton of 'authenticated origin/environment'. · 5e594d0 · w3c/webappsec]]
( ([TIME[2014-08-24 02:35:27 +09:00]] 版))
<https://github.com/w3c/webappsec/commit/5e594d044ecf9a1b87a082e768adf02bb600bb52>
[2] [CITE[Prefer Secure Origins For Powerful New Features - The Chromium Projects]]
( ([TIME[2014-08-23 19:05:44 +09:00]] 版))
<http://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features>
[3] [CITE@en[Defining secure-enough origins.]]
( ([[Mike West]] 著, [TIME[2014-08-22 18:37:25 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0107.html>
[4] [CITE@en[Bug 25972 – Please require a secure origin]]
( ([TIME[2014-08-24 02:47:20 +09:00]] 版))
<https://www.w3.org/Bugs/Public/show_bug.cgi?id=25972>
[5] [CITE@en[MIX: 'data:' and 'javascript:' are not authenticated origins. · c17d4f4 · w3c/webappsec]]
( ([TIME[2014-09-04 13:20:18 +09:00]] 版))
<https://github.com/w3c/webappsec/commit/c17d4f4c2dd33b2d2d280f40b36d79ceef942a15>
[6] [CITE@en[Proposal: Prefer secure origins for powerful new web platform features]]
( ([[Chris Palmer]] 著, [TIME[2014-06-28 07:55:32 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0222.html>
[7] [CITE@en[Re: Proposal: Prefer secure origins for powerful new web platform features]]
( ([[Chris Palmer]] 著, [TIME[2014-08-22 05:19:16 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0078.html>
[8] [CITE[IRC logs: freenode / #whatwg / 20140928]]
( ([TIME[2014-09-29 06:53:48 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20140928#l-228>
[9] [CITE[IRC logs: freenode / #whatwg / 20141001]]
( ([TIME[2014-10-02 05:57:53 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20141001>
[10] [CITE[IRC logs: freenode / #whatwg / 20141031]]
( ([TIME[2014-11-01 03:16:58 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20141031#l-377>
[11] [CITE@en[MIX: Rework the 'powerful features' algorithms. · ab1894a · w3c/webappsec]]
( ([TIME[2014-11-01 03:34:46 +09:00]] 版))
<https://github.com/w3c/webappsec/commit/ab1894a2ad9b9155c1d1e5a2281e354f0d30a3ed>
[12] [CITE@en[POWER: Strawman 'powerful features' document. · 3c1b2f6 · w3c/webappsec]]
( ([TIME[2014-11-21 21:04:22 +09:00]] 版))
<https://github.com/w3c/webappsec/commit/3c1b2f63ac14de88dc7ccf3966e5959446d98986>
[13] [CITE@en["Requirements for Powerful Features" strawman.]]
( ([[Mike West]] 著, [TIME[2014-11-20 22:21:50 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0315.html>
[14] [CITE@en[Requirements for Powerful Features]]
( ([TIME[2014-11-21 20:21:00 +09:00]] 版))
<https://w3c.github.io/webappsec/specs/powerfulfeatures/>
[15] [CITE@en[MIX: Drop powerful features. · 52a9881 · w3c/webappsec]]
( ([TIME[2014-11-25 17:14:22 +09:00]] 版))
<https://github.com/w3c/webappsec/commit/52a9881829877ebe7ee9a7aad340f873d9b99210>
[16] [CITE@en[Requirements for Powerful Features]]
( ([TIME[2014-12-03 11:37:43 +09:00]] 版))
<http://www.w3.org/TR/2014/WD-powerful-features-20141204/>
[17] [CITE@en[Proposal: Marking HTTP As Non-Secure]]
( ([[Chris Palmer]] 著, [TIME[2014-12-13 09:46:34 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0062.html>
[18] [CITE@en[Privileged context features and JavaScript]]
([[Anne van Kesteren]] 著, [TIME[2015-04-17 14:16:44 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webapps/2015AprJun/0142.html>
[19] [CITE@en[Secure Contexts: It's worth taking another look.]]
([[Mike West]] 著, [TIME[2015-09-11 14:15:13 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0068.html>
[20] [CITE@en[Secure Contexts]]
([TIME[2015-09-30 21:19:01 +09:00]] 版)
<https://w3c.github.io/webappsec-secure-contexts/>
[21] [CITE@en[w3c/webappsec-secure-contexts]]
([TIME[2015-10-06 23:22:24 +09:00]] 版)
<https://github.com/w3c/webappsec-secure-contexts>
[22] [CITE@en[Defining secure global objects. · w3c/webappsec-secure-contexts@d676950]]
([TIME[2015-10-17 11:21:30 +09:00]] 版)
<https://github.com/w3c/webappsec-secure-contexts/commit/d67695029560dd9d635495f973c4c369a39301ee>
[23] [CITE@en[Replace "potentially secure origins" with "secure contexts" · w3c/webappsec-subresource-integrity@b2ee530]]
([TIME[2015-10-30 18:46:33 +09:00]] 版)
<https://github.com/w3c/webappsec-subresource-integrity/commit/b2ee530a405afeeacd4108e7aaeba93da7a9e6ee>
[24] [CITE@en[Discuss the `''''''[''''''SecureContext'''''']''''''` attribute. · w3c/webappsec-secure-contexts@6ad8e91]]
([TIME[2015-12-12 10:51:40 +09:00]] 版)
<https://github.com/w3c/webappsec-secure-contexts/commit/6ad8e91b895bc06415e3e50e9654822989f448ac>
[FIG(quote)[
[FIGCAPTION[
[26] [CITE[Interact with BLE devices on the Web | Web Updates - Google Developers]]
([TIME[2015-12-11 00:48:02 +09:00]] 版)
<https://developers.google.com/web/updates/2015/07/interact-with-ble-devices-on-the-web>
]FIGCAPTION]
> Because the Web Bluetooth API is a powerful new feature added to the Web, Google Chrome aims to make it available only to secure contexts.
]FIG]
[27] [CITE@en[Use ''''''[''''''SecureContext'''''']'''''' before it's cool · whatwg/storage@67fcb15]]
([TIME[2016-04-01 19:38:21 +09:00]] 版)
<https://github.com/whatwg/storage/commit/67fcb1510a03afce89f1542203f783103c0c1407>
[28] [CITE@en[Merge branch 'secure-context' into gh-pages · heycam/webidl@710b36c]]
([TIME[2016-04-13 15:24:58 +09:00]] 版)
<https://github.com/heycam/webidl/commit/710b36c501ffd130bb4e7b9af43d9be4981a6631>
[29] [CITE@en[Secure Contexts]]
([TIME[2016-04-13 16:52:03 +09:00]] 版)
<https://www.w3.org/TR/2016/WD-powerful-features-20160413/>
[FIG(quote)[
[FIGCAPTION[
[30] [CITE@en[Re: '''['''secure-contexts''']''' `*.localhost` + DNS]]
( ([[Mike West]]著, [TIME[2016-05-03 21:08:52 +09:00]]))
<https://lists.w3.org/Archives/Public/public-webappsec/2016May/0009.html>
]FIGCAPTION]
> A better solution, I think, is for browser vendors to provide an override
> mechanism for origins you specifically care about: Chrome
> has `--unsafely-treat-insecure-origin-as-secure="
> http://project.laptop.example.com"`, and I assume Safari, Opera, Firefox,
> and Edge could be prevailed upon to provide similar controls as suggested
> in https://www.w3.org/TR/secure-contexts/#development-environments.
]FIG]
[31] [CITE@en[Remove support for '''['''Constructor''']''' on dictionaries (fixes #109).]]
( ([[Ms2ger]]著, [TIME[2016-04-20 20:34:07 +09:00]]))
<https://github.com/heycam/webidl/commit/1982dc3f17002c07f93b39e22f69846478e4a9e2>
[32] [CITE@en[Clarify recommendation for restricting new features.]]
([[mikewest]]著, [TIME[2016-07-15 13:33:33 +09:00]])
<https://github.com/w3c/webappsec-secure-contexts/commit/f99c8970d432647a23fe65e3913fb5202d4561a9>
[33] [CITE@en[Secure Contexts]]
([TIME[2016-07-18 16:57:33 +09:00]])
<https://www.w3.org/TR/2016/WD-secure-contexts-20160718/>
[34] [CITE@en[Rewrite algorithm to handle sandboxes inside 'http://127.0.0.1/']]
([[mikewest]]著, [TIME[2016-07-19 21:08:23 +09:00]])
<https://github.com/w3c/webappsec-secure-contexts/commit/4e14df58c1148bcb448992d4b579a50f4f881051>
[35] [CITE@en[Secure Contexts]]
([TIME[2016-07-19 21:55:10 +09:00]])
<https://www.w3.org/TR/2016/WD-secure-contexts-20160719/>
[36] [CITE@en[CfC: Transition "Secure Contexts" to CR; deadline August 2nd.]]
([[Mike West]]著, [TIME[2016-07-19 22:21:55 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2016Jul/0032.html>
[37] [CITE@en[Re: CfC: Transition "Secure Contexts" to CR; deadline August 2nd.]]
([[Mike West]]著, [TIME[2016-08-03 03:51:22 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2016Aug/0001.html>
[38] [CITE@en[Reference 'Securing the Web']]
([[mikewest]]著, [TIME[2016-08-31 00:43:08 +09:00]])
<https://github.com/w3c/webappsec-secure-contexts/commit/9562a4b1bffe99fff8eca6207234bb672e8233cb>
[39] [CITE@en[Secure Contexts]]
([TIME[2016-09-15 06:13:55 +09:00]])
<https://www.w3.org/TR/2016/CR-secure-contexts-20160915/>
[40] [CITE@en[Adding '''['''SecureContext''']''' extended attribute.]]
([[tobie]]著, [TIME[2016-10-29 18:39:48 +09:00]])
<https://github.com/w3c/sensors/commit/9af53599d8bbe1c1a3bc1df1d3cd1b486bc3c6f3>
[FIG(quote)[
[FIGCAPTION[
[41] [CITE@en[DeviceOrientation Event Specification]]
([TIME[2016-08-19 00:30:43 +09:00]])
<https://w3c.github.io/deviceorientation/spec-source-orientation.html#security-and-privacy>
]FIGCAPTION]
> fire events only on secure browsing contexts '''['''SECURE-CONTEXTS''']''',
]FIG]
[42] [CITE@en[draft-thomson-http-omnomnom-00 - Expiring Aggressively Those HTTP Cookies]]
([TIME[2016-12-26 07:05:01 +09:00]])
<https://tools.ietf.org/html/draft-thomson-http-omnomnom-00>
[43] [CITE@en[Merge pull request #55 from w3c/issue-52-secure-context]]
([[mikewest]]著, [TIME[2017-01-14 15:29:47 +09:00]])
<https://github.com/w3c/webappsec-credential-management/commit/7988cf32aab6b69a1522763cb1911d781ba995fd>
[44] [CITE@en[Deprecations and Removals in Chrome 58 | Web | Google Developers]]
( ([TIME[2017-03-28 01:25:28 +09:00]]))
<https://developers.google.com/web/updates/2017/03/chrome-58-deprecations>
[45] [CITE@en[Google Online Security Blog: Next Steps Toward More Connection Security]]
([TIME[2017-05-04 09:56:34 +09:00]])
<https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html>
[FIG(quote)[
[FIGCAPTION[
[46] [CITE@en[Linked Data Notifications]]
([TIME[2017-05-02 20:42:58 +09:00]])
<https://linkedresearch.org/ldn/#authenticated-inboxes>
]FIGCAPTION]
> Authentication involving token passing must be done over HTTPS.
]FIG]
[47] [CITE@en[Deprecations and Removals in Chrome 60 | Web | Google Developers]]
([TIME[2017-06-15 00:01:43 +09:00]])
<https://developers.google.com/web/updates/2017/06/chrome-60-deprecations>