You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 25, 2019. It is now read-only.
A Web Publication may be portable, and it may be hosted at some other origin. However, it must preserve information about its original origin and identity, so that references to a portable copy can be reconciled with the original publication, and so that the other origin can make informed choices about how much trust to grant to the publication.
If a publication is hosted at another origin, and you want trust decisions to be based on the original origin, we'd need a proof that the publication actually came from the original origin, which is non-trivial. We're trying to solve this as part of https://github.com/dimich-g/webpackage, and hopefully you'll just be able to take advantage of that, but if you want to include it in this scope too, you should also explicitly call out that you'll need to work with the Web Application Security WG or maybe the Web Security IG to make sure it's right.
Otherwise, might be straightforward to just treat copied publications as new content in their new origin with an attribution that isn't trusted by the UA.
The text was updated successfully, but these errors were encountered:
@jyasskin, you are right. I have created a new pull request (#64) which now includes an additional liaison to the Web App Sec WG:
Porting a Web Publication, hosting the publication at some other origin, may raise security issues.
The Publishing Working Group will have to work closely with the Web Application Security WG to ensure that the approaches developed by that Working Group are adopted by Web Publication, and any additional work done by the Publication Working Group are in line with general Web Application Security.
Would that work for you? Note that there is an "automatic" liaison with the Web Sec IG already as part of the horizontal reviews (and listed in the intro paragraph of the coordination section of the charter)
https://w3c.github.io/dpubwg-charter/#scope says,
If a publication is hosted at another origin, and you want trust decisions to be based on the original origin, we'd need a proof that the publication actually came from the original origin, which is non-trivial. We're trying to solve this as part of https://github.com/dimich-g/webpackage, and hopefully you'll just be able to take advantage of that, but if you want to include it in this scope too, you should also explicitly call out that you'll need to work with the Web Application Security WG or maybe the Web Security IG to make sure it's right.
Otherwise, might be straightforward to just treat copied publications as new content in their new origin with an attribution that isn't trusted by the UA.
The text was updated successfully, but these errors were encountered: