New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Is origin potentially trustworthy" algorithm assumes origins have scheme and host components #4
Comments
d2db6fb addresses this (for this spec) by skipping the check for opaque identifier origins. I'll poke at MIX in a separate patch. |
This patch addresses #4 and w3c/webappsec-mixed-content#1 by dropping the 'potentially secure' term from SECURE, and reworking the definition of 'potentially trustworthy' for clarity. Hope it helps.
Between these two patches, I think the specs define sane behavior. WDYT? |
@mikewest So we're just not referencing MIX now at all? |
MIX drops the 'potentially secure origin' definition, as it's confusing and unnecessary, and it turns out that MIX really cares more about URLs and responses than origins. Perhaps focusing on origins in this spec is equally confusing. Hrm. |
Perhaps, but maybe that can be considered in a separate issue, since I think this one is now resolved. Do you agree bzbarsky? |
@jwatt Agree that this one is resolved, or that origins-vs-URIs should be considered separately? |
@bzbarsky Agree that this one is resolved. |
Yeah, looks resolved to me. |
http://www.w3.org/TR/mixed-content/#potentially-secure-origin assumes origins have a scheme component.
So does https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy step 2 and so forth.
But globally unique identifier values do not have those components. Since those values can end up in this algorithm as far as I can tell, the behavior for them needs to be defined.
The text was updated successfully, but these errors were encountered: