Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Is origin potentially trustworthy" algorithm assumes origins have scheme and host components #4

Closed
bzbarsky opened this issue Oct 21, 2015 · 8 comments
Closed

"Is origin potentially trustworthy" algorithm assumes origins have scheme and host components #4

bzbarsky opened this issue Oct 21, 2015 · 8 comments

Comments

@bzbarsky
Copy link

http://www.w3.org/TR/mixed-content/#potentially-secure-origin assumes origins have a scheme component.

So does https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy step 2 and so forth.

But globally unique identifier values do not have those components. Since those values can end up in this algorithm as far as I can tell, the behavior for them needs to be defined.
@bzbarsky bzbarsky mentioned this issue Oct 21, 2015
Closed
mikewest added a commit that referenced this issue Oct 21, 2015
@mikewest
Don't check whether opaque identifiers are potentially secure. They a…
d2db6fb 
…ren't. For #4.
@mikewest
Copy link
Member

d2db6fb addresses this (for this spec) by skipping the check for opaque identifier origins. I'll poke at MIX in a separate patch.

mikewest added a commit that referenced this issue Oct 22, 2015
@mikewest
Clean up 'potentially trustworthy' language.
20c3898 
This patch addresses #4 and
w3c/webappsec-mixed-content#1 by dropping the 'potentially secure'
term from SECURE, and reworking the definition of 'potentially
trustworthy' for clarity. Hope it helps.
@mikewest
Copy link
Member

Between these two patches, I think the specs define sane behavior. WDYT?

@bzbarsky
Copy link
Author

@mikewest So we're just not referencing MIX now at all?

@mikewest
Copy link
Member

MIX drops the 'potentially secure origin' definition, as it's confusing and unnecessary, and it turns out that MIX really cares more about URLs and responses than origins.

Perhaps focusing on origins in this spec is equally confusing. Hrm.

@jwatt
Copy link
Contributor

jwatt commented Jan 28, 2016

Perhaps focusing on origins in this spec is equally confusing. Hrm.

Perhaps, but maybe that can be considered in a separate issue, since I think this one is now resolved.

Do you agree bzbarsky?

@bzbarsky
Copy link
Author

@jwatt Agree that this one is resolved, or that origins-vs-URIs should be considered separately?

@jwatt
Copy link
Contributor

jwatt commented Mar 4, 2016

@bzbarsky Agree that this one is resolved.

@bzbarsky
Copy link
Author

Yeah, looks resolved to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikewest @jwatt @bzbarsky