-
Notifications
You must be signed in to change notification settings - Fork 148
/
index.html
999 lines (988 loc) · 75.2 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
<!doctype html><html lang="en">
<head>
<meta http-equiv="refresh" content="0; url=https://w3c.github.io/webappsec-secure-contexts/">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>Secure Contexts</title>
<link href="../default.css" rel="stylesheet" type="text/css">
<style>
body {
background: url("https://www.w3.org/StyleSheets/TR/logo-ED") top left no-repeat white;
background-attachment: fixed;
color: black;
font-family: sans-serif;
margin: 0 auto;
max-width: 50em;
padding: 2em 1em 2em 70px;
}
:link { color: #00C; background: transparent }
:visited { color: #609; background: transparent }
a[href]:active { color: #C00; background: transparent }
a[href]:hover { background: #ffa }
a[href] img { border-style: none }
h1, h2, h3, h4, h5, h6 { text-align: left }
h1, h2, h3 { color: #005A9C; }
h1 { font: 170% sans-serif }
h2 { font: 140% sans-serif }
h3 { font: 120% sans-serif }
h4 { font: bold 100% sans-serif }
h5 { font: italic 100% sans-serif }
h6 { font: small-caps 100% sans-serif }
.hide { display: none }
div.head { margin-bottom: 1em }
div.head h1 { margin-top: 2em; clear: both }
div.head table { margin-left: 2em; margin-top: 2em }
p.copyright { font-size: small }
p.copyright small { font-size: small }
pre { margin-left: 2em }
dt { font-weight: bold }
ul.toc, ol.toc {
list-style: none;
}
</style>
<meta content="Bikeshed 1.0.0" name="generator">
<style>
.secure {
fill: #8F8;
}
.non-secure {
fill: #F88;
}
rect, circle {
stroke-width: 2;
stroke: black;
fill-opacity: 0.75;
}
text {
font-family: monospace;
}
text.rejection {
fill: #F00;
font-weight: 700;
font-size: 2em;
}
g path {
stroke-width: 2px;
stroke: #666;
fill-opacity: 0;
stroke-dasharray: 5px, 5px;
}
</style>
</head>
<body class="h-entry">
<div class="head">
<p data-fill-with="logo"><a class="logo" href="http://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/Icons/w3c_home" width="72"> </a> </p>
<h1 class="p-name no-ref" id="title">Secure Contexts</h1>
<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2015-09-25">25 September 2015</time></span></h2>
<div data-fill-with="spec-metadata">
<dl>
<dt>This version:
<dd><a class="u-url" href="https://w3c.github.io/webappsec/specs/powerfulfeatures/">https://w3c.github.io/webappsec/specs/powerfulfeatures/</a>
<dt>Latest version:
<dd><a href="http://www.w3.org/TR/powerful-features/">http://www.w3.org/TR/powerful-features/</a>
<dt>Previous Versions:
<dd><a href="http://www.w3.org/TR/2014/WD-powerful-features-20141204/" rel="previous">http://www.w3.org/TR/2014/WD-powerful-features-20141204/</a>
<dt>Version History:
<dd><a href="https://github.com/w3c/webappsec/commits/master/specs/powerfulfeatures/index.src.html">https://github.com/w3c/webappsec/commits/master/specs/powerfulfeatures/index.src.html</a>
<dt>Feedback:
<dd><span><a href="mailto:public-webappsec@w3.org?subject=%5Bpowerful-features%5D%20YOUR%20TOPIC%20HERE">public-webappsec@w3.org</a> with subject line “<kbd>[powerful-features] <var>… message topic …</var></kbd>” (<a href="http://lists.w3.org/Archives/Public/public-webappsec/" rel="discussion">archives</a>)</span>
<dt class="editor">Editors:
<dd class="editor p-author h-card vcard" data-editor-id="56384"><a class="p-name fn u-email email" href="mailto:mkwst@google.com">Mike West</a> (<span class="p-org org">Google Inc.</span>)
<dd class="editor p-author h-card vcard" data-editor-id="75060"><a class="p-name fn u-email email" href="mailto:yzhu@yahoo-inc.com">Yan Zhu</a> (<span class="p-org org">Yahoo! Inc.</span>)
<dt>Participate:
<dd><span><a href="https://github.com/w3c/webappsec/issues/new?title=SECURE:%20">File an issue</a> (<a href="https://github.com/w3c/webappsec/labels/SECURE">open issues</a>)</span>
</dl>
</div>
<div data-fill-with="warning"></div>
<p class="copyright" data-fill-with="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2015 <a href="http://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="http://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="http://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="http://www.keio.ac.jp/">Keio</a>, <a href="http://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply. </p>
<hr title="Separator for header">
</div>
<h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>
<div class="p-summary" data-fill-with="abstract">
<p>This specification defines "secure contexts", thereby allowing user agent
implementers and specification authors to enable certain features only when
certain minimum standards of authentication and confidentiality are met.</p>
</div>
<h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>
<div data-fill-with="status">
<p> This is a public copy of the editors’ draft.
It is provided for discussion only and may change at any moment.
Its publication here does not imply endorsement of its contents by W3C.
Don’t cite this document other than as work in progress. </p>
<p> <strong>Changes to this document may be tracked at <a href="https://github.com/w3c/webappsec">https://github.com/w3c/webappsec</a>.</strong> </p>
<p> The (<a href="http://lists.w3.org/Archives/Public/public-webappsec/">archived</a>) public mailing list <a href="mailto:public-webappsec@w3.org?Subject=%5Bpowerful-features%5D%20PUT%20SUBJECT%20HERE">public-webappsec@w3.org</a> (see <a href="http://www.w3.org/Mail/Request">instructions</a>)
is preferred for discussion of this specification.
When sending e-mail,
please put the text “powerful-features” in the subject,
preferably like this:
“[powerful-features] <em>…summary of comment…</em>” </p>
<p> This document was produced by the <a href="http://www.w3.org/2011/webappsec/">Web Application Security Working Group</a>. </p>
<p> This document was produced by a group operating under
the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>.
W3C maintains a <a href="http://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group;
that page also includes instructions for disclosing a patent.
An individual who has actual knowledge of a patent which the individual believes contains <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the W3C Patent Policy</a>. </p>
<p> This document is governed by the <a href="http://www.w3.org/2015/Process-20150901/" id="w3c_process_revision">1 September 2015 W3C Process Document</a>. </p>
<p></p>
</div>
<div data-fill-with="at-risk"></div>
<h2 class="no-num no-toc no-ref heading settled" id="contents"><span class="content">Table of Contents</span></h2>
<div data-fill-with="table-of-contents" role="navigation">
<ul class="toc" role="directory">
<li>
<a href="#intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
<ul class="toc">
<li>
<a href="#examples"><span class="secno">1.1</span> <span class="content">Examples</span></a>
<ul class="toc">
<li><a href="#examples-top-level"><span class="secno">1.1.1</span> <span class="content">Top-level Documents</span></a>
<li><a href="#examples-framed"><span class="secno">1.1.2</span> <span class="content">Framed Documents</span></a>
<li><a href="#examples-workers"><span class="secno">1.1.3</span> <span class="content">Web Workers</span></a>
<li><a href="#examples-shared-workers"><span class="secno">1.1.4</span> <span class="content">Shared Workers</span></a>
<li><a href="#examples-service-workers"><span class="secno">1.1.5</span> <span class="content">Service Workers</span></a>
</ul>
</ul>
<li>
<a href="#framework"><span class="secno">2</span> <span class="content">Framework</span></a>
<ul class="toc">
<li>
<a href="#monkey-patching"><span class="secno">2.1</span> <span class="content">Modifications to HTML</span></a>
<ul class="toc">
<li><a href="#monkey-patching-shared-workers"><span class="secno">2.1.1</span> <span class="content">Shared Workers</span></a>
<li><a href="#monkey-patching-global-object"><span class="secno">2.1.2</span> <span class="content">Feature Detection</span></a>
</ul>
</ul>
<li>
<a href="#algorithms"><span class="secno">3</span> <span class="content">Algorithms</span></a>
<ul class="toc">
<li><a href="#settings-object"><span class="secno">3.1</span> <span class="content"> Is <var>settings object</var> a secure context? </span></a>
<li><a href="#is-origin-trustworthy"><span class="secno">3.2</span> <span class="content"> Is <var>origin</var> potentially trustworthy? </span></a>
<li><a href="#gather-ancestors"><span class="secno">3.3</span> <span class="content"> Gather <var>document</var>’s relevant ancestors </span></a>
</ul>
<li>
<a href="#threat-models-risks"><span class="secno">4</span> <span class="content"> Threat models and risks </span></a>
<ul class="toc">
<li>
<a href="#threat-models"><span class="secno">4.1</span> <span class="content">Threat Models</span></a>
<ul class="toc">
<li><a href="#threat-passive"><span class="secno">4.1.1</span> <span class="content">Passive Network Attacker</span></a>
<li><a href="#threat-active"><span class="secno">4.1.2</span> <span class="content">Active Network Attacker</span></a>
</ul>
<li><a href="#threat-risks"><span class="secno">4.2</span> <span class="content">Risks associated with non-secure contexts</span></a>
</ul>
<li>
<a href="#security-considerations"><span class="secno">5</span> <span class="content">Security Considerations</span></a>
<ul class="toc">
<li><a href="#isolation"><span class="secno">5.1</span> <span class="content">Incomplete Isolation</span></a>
</ul>
<li>
<a href="#implementation-considerations"><span class="secno">6</span> <span class="content">Implementation Considerations</span></a>
<ul class="toc">
<li><a href="#packaged-applications"><span class="secno">6.1</span> <span class="content">Packaged Applications</span></a>
<li><a href="#development-environments"><span class="secno">6.2</span> <span class="content">Development Environments</span></a>
<li><a href="#new"><span class="secno">6.3</span> <span class="content">Restricting New Features</span></a>
<li>
<a href="#legacy"><span class="secno">6.4</span> <span class="content">Restricting Legacy Features</span></a>
<ul class="toc">
<li><a href="#legacy-example"><span class="secno">6.4.1</span> <span class="content">Example: Geolocation</span></a>
</ul>
</ul>
<li><a href="#acknowledgements"><span class="secno">7</span> <span class="content">Acknowledgements</span></a>
<li>
<a href="#conformance"><span class="secno"></span> <span class="content">Conformance</span></a>
<ul class="toc">
<li><a href="#conventions"><span class="secno"></span> <span class="content">Document conventions</span></a>
<li><a href="#conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a>
</ul>
<li>
<a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
<ul class="toc">
<li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
<li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
</ul>
<li>
<a href="#references"><span class="secno"></span> <span class="content">References</span></a>
<ul class="toc">
<li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
<li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
</ul>
<li><a href="#idl-index"><span class="secno"></span> <span class="content">IDL Index</span></a>
</ul>
</div>
<main>
<section>
<h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>
<p><em>This section is not normative.</em></p>
<p>As the Web platform is extended to enable more useful and powerful
applications, it becomes increasingly important to ensure that the features
which enable those applications are enabled only in contexts which meet a minimum
security bar. This document outlines threat models for feature abuse on the Web
and outline normative requirements which should be incorporated into documents
specifying new features.</p>
<p>The most obvious of the requirements discussed here is that application code
with access to sensitive or private data be delivered over authenticated and
confidential channels that guarantee data integrity. Delivering code securely
cannot ensure that an application will always meet a user’s security and
privacy requirements, but it is a necessary precondition.</p>
<h3 class="heading settled" data-level="1.1" id="examples"><span class="secno">1.1. </span><span class="content">Examples</span><a class="self-link" href="#examples"></a></h3>
<h4 class="heading settled" data-level="1.1.1" id="examples-top-level"><span class="secno">1.1.1. </span><span class="content">Top-level Documents</span><a class="self-link" href="#examples-top-level"></a></h4>
<p>Top-level documents are secure on their own merits:</p>
<div class="example" id="example-f9c0bcaa">
<a class="self-link" href="#example-f9c0bcaa"></a>
<p><code>https://example.com/</code> opened in a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context">top-level browsing
context</a> is a <a data-link-type="dfn" href="#secure-context">secure context</a>, as it was delivered over
an authenticated and encrypted channel.</p>
<svg height="200" width="400">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
</g>
</svg>
</div>
<div class="example" id="example-385f5648">
<a class="self-link" href="#example-385f5648"></a>
<p><code>http://non-secure.example.com/</code> opened in a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context">top-level
browsing context</a> pops open a new window containing <code>https://example.com/</code>. The former is not a <a data-link-type="dfn" href="#secure-context">secure
context</a>; the latter is a <a data-link-type="dfn" href="#secure-context">secure context</a>, because it is a new
top-level browsing context delivered over an authenticated and encrypted
channel.</p>
<svg height="400" width="400">
<g transform="translate(10,10)">
<rect class="non-secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
</g>
<g transform="translate(10,210)">
<rect class="secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 150 287"></path>
</g>
</svg>
</div>
<h4 class="heading settled" data-level="1.1.2" id="examples-framed"><span class="secno">1.1.2. </span><span class="content">Framed Documents</span><a class="self-link" href="#examples-framed"></a></h4>
<p>Framed documents can be <a data-link-type="dfn" href="#secure-context">secure contexts</a> if they are delivered from <a data-link-type="dfn" href="#potentially-trustworthy-origin">potentially trustworthy origins</a>, <em>and</em> if they’re embedded
in a <a data-link-type="dfn" href="#secure-context">secure context</a>. That is:</p>
<div class="example" id="example-0e744dfe">
<a class="self-link" href="#example-0e744dfe"></a>
<p> if <code>https://example.com/</code> opened in a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context">top-level browsing
context</a> opens <code>https://sub.example.com/</code> in a frame, then
both are <a data-link-type="dfn" href="#secure-context">secure contexts</a>, as both were delivered over
authenticated and encrypted channels.</p>
<svg height="200" width="400">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(20, 50)">
<rect class="secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://sub.example.com/</text>
</g>
</g>
</svg>
</div>
<div class="example" id="example-90fe8723">
<a class="self-link" href="#example-90fe8723"></a>
<p>If <code>https://example.com/</code> was somehow able to frame <code>http://non-secure.example.com/</code> (perhaps the user has
overridden mixed content checking?), the top-level frame would remain
secure, but the framed content is not a secure context.</p>
<svg height="200" width="400">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(20, 50)">
<rect class="non-secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
</g>
</g>
</svg>
</div>
<div class="example" id="example-c52936fc">
<a class="self-link" href="#example-c52936fc"></a>
<p>If, on the other hand, <code>https://example.com/</code> is framed
inside of <code>http://non-secure.example.com/</code>, then it is <em>not</em> a secure context, as its ancestor is not delivered over an
authenticated and encrypted channel.</p>
<svg height="200" width="400">
<g transform="translate(10,10)">
<rect class="non-secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
<g transform="translate(20, 50)">
<rect class="non-secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
</g>
</g>
</svg>
</div>
<h4 class="heading settled" data-level="1.1.3" id="examples-workers"><span class="secno">1.1.3. </span><span class="content">Web Workers</span><a class="self-link" href="#examples-workers"></a></h4>
<p>Dedicated Web Workers are similar in nature to framed documents. They’re <a data-link-type="dfn" href="#secure-context">secure contexts</a> when they’re delivered from <a data-link-type="dfn" href="#potentially-trustworthy-origin">potentially
trustworthy origins</a>, and when their owner is itself a <a data-link-type="dfn" href="#secure-context">secure
context</a>:</p>
<div class="example" id="example-512dd4fd">
<a class="self-link" href="#example-512dd4fd"></a>
<p>If <code>https://example.com/</code> in a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context">top-level browsing
context</a> runs <code>https://example.com/worker.js</code>, then
both the document and the worker are <a data-link-type="dfn" href="#secure-context">secure contexts</a>.</p>
<svg height="200" width="600">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(400, 110)">
<circle class="secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
</svg>
</div>
<div class="example" id="example-453513c5">
<a class="self-link" href="#example-453513c5"></a>
<p>If <code>http://non-secure.example.com/</code> in a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context">top-level browsing
context</a> frames <code>https://example.com/</code>, which runs <code>https://example.com/worker.js</code>, then neither the framed document
nor the worker are <a data-link-type="dfn" href="#secure-context">secure contexts</a>.</p>
<svg height="200" width="600">
<g transform="translate(10,10)">
<rect class="non-secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
<g transform="translate(20, 50)">
<rect class="non-secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
</g>
<g transform="translate(400, 110)">
<circle class="non-secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
</svg>
</div>
<h4 class="heading settled" data-level="1.1.4" id="examples-shared-workers"><span class="secno">1.1.4. </span><span class="content">Shared Workers</span><a class="self-link" href="#examples-shared-workers"></a></h4>
<p>Multiple contexts may attach to a Shared Worker. If a <a data-link-type="dfn" href="#secure-context">secure context</a> creates a Shared Worker, then it is a <a data-link-type="dfn" href="#secure-context">secure context</a>, and may only be
attached to by other <a data-link-type="dfn" href="#secure-context">secure contexts</a>. If an non-secure context creates
a Shared Worker, then it is <em>not</em> a <a data-link-type="dfn" href="#secure-context">secure context</a>, and may only
be attached to by other non-secure contexts.</p>
<div class="example" id="example-7e3c52b5">
<a class="self-link" href="#example-7e3c52b5"></a>
<p>If <code>https://example.com/</code> in a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context">top-level browsing
context</a> runs <code>https://example.com/worker.js</code> as a Shared
Worker, then both the document and the worker are considered secure
contexts.</p>
<svg height="200" width="600">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(400, 110)">
<circle class="secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
</svg>
</div>
<div class="example" id="example-34d1a1ea">
<a class="self-link" href="#example-34d1a1ea"></a>
<p>If <code>https://example.com/</code> in a different <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context">top-level
browsing context</a> (e.g. in a new window) is a secure context, so it may
access the secure shared worker:</p>
<svg height="400" width="600">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(400, 110)">
<circle class="secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
<g transform="translate(10,200)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 -80"></path>
</g>
</g>
</svg>
</div>
<div class="example" id="example-2829bc67">
<a class="self-link" href="#example-2829bc67"></a>
<p><code>https://example.com/</code> nested in <code>http://non-secure.example.com/</code> may not connect to the secure
worker, as it is not a secure context.</p>
<svg height="400" width="600">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(400, 110)">
<circle class="secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
<g transform="translate(10,200)">
<rect class="non-secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
<g transform="translate(20, 50)">
<rect class="non-secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 20"></path>
<text class="rejection" transform="translate(405, 20)">X</text>
</g>
</g>
</svg>
</div>
<div class="example" id="example-a7414e08">
<a class="self-link" href="#example-a7414e08"></a>
<p>Likewise, if <code>https://example.com/</code> nested in <code>http://non-secure.example.com/</code> runs <code>https://example.com/worker.js</code> as a Shared
Worker, then both the document and the worker are considered non-secure.</p>
<svg height="400" width="600">
<g transform="translate(10,10)">
<rect class="non-secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
<g transform="translate(20, 50)">
<rect class="non-secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
</g>
<g transform="translate(400, 110)">
<circle class="non-secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
<g transform="translate(10,200)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 20"></path>
<text class="rejection" transform="translate(405, 20)">X</text>
</g>
</g>
</svg>
</div>
<h4 class="heading settled" data-level="1.1.5" id="examples-service-workers"><span class="secno">1.1.5. </span><span class="content">Service Workers</span><a class="self-link" href="#examples-service-workers"></a></h4>
<p>Service Workers are always <a data-link-type="dfn" href="#secure-context">secure contexts</a>. Only <a data-link-type="dfn" href="#secure-context">secure contexts</a> may register them, and they may only have clients which are <a data-link-type="dfn" href="#secure-context">secure
contexts</a>.</p>
<div class="example" id="example-58019791">
<a class="self-link" href="#example-58019791"></a>
<p>If <code>https://example.com/</code> in a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context">top-level browsing
context</a> registers <code>https://example.com/service.js</code>,
then both the document and the Service Worker are considered secure
contexts.</p>
<svg height="200" width="600">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(400, 110)">
<circle class="secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/service.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
</svg>
</div>
</section>
<section>
<h2 class="heading settled" data-level="2" id="framework"><span class="secno">2. </span><span class="content">Framework</span><a class="self-link" href="#framework"></a></h2>
<p>A <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#settings-object">settings object</a> is considered a <dfn data-dfn-type="dfn" data-export="" id="secure-context">secure context<a class="self-link" href="#secure-context"></a></dfn> if
the algorithm in <a href="#settings-object">§3.1 Is settings object a secure context?</a> returns "<code>Secure</code>". The <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#settings-object">settings
object</a> is otherwise <dfn data-dfn-type="dfn" data-export="" data-lt="non-secure context" id="non-secure-context">non-secure<a class="self-link" href="#non-secure-context"></a></dfn>.</p>
<h3 class="heading settled" data-level="2.1" id="monkey-patching"><span class="secno">2.1. </span><span class="content">Modifications to HTML</span><a class="self-link" href="#monkey-patching"></a></h3>
<h4 class="heading settled" data-level="2.1.1" id="monkey-patching-shared-workers"><span class="secno">2.1.1. </span><span class="content">Shared Workers</span><a class="self-link" href="#monkey-patching-shared-workers"></a></h4>
<p>The <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#dom-sharedworker">SharedWorker()</a></code> constructor will throw a <code>SecurtyError</code> exception if
a if a <a data-link-type="dfn" href="#secure-context">secure context</a> attempts to attach to an Worker which is not a <a data-link-type="dfn" href="#secure-context">secure context</a>, and if an non-secure context attempts to attach to a
Worker which is a <a data-link-type="dfn" href="#secure-context">secure context</a>. The constructor is modified as
follows:</p>
<ol>
<li data-md="">
<p>As the first substep of the <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#dom-sharedworker">SharedWorker()</a></code> constructor’s current step
7.7 ("If <var>worker global scope</var> is not <code>null</code>, then run these
steps:"), run the following step:</p>
<ol>
<li data-md="">
<p>If the result of executing <a href="#settings-object">§3.1 Is settings object a secure context?</a> on the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object">incumbent
settings object</a> does not match the result of executing the same
algorithm on <var>worker global scope</var>’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#relevant-settings-object-for-a-global-object">relevant settings
object</a>, then throw a <code>SecurityError</code> exception, and abort
the remaining steps.</p>
</ol>
</ol>
<h4 class="heading settled" data-level="2.1.2" id="monkey-patching-global-object"><span class="secno">2.1.2. </span><span class="content">Feature Detection</span><a class="self-link" href="#monkey-patching-global-object"></a></h4>
<p>To determine whether a context is capable of making use of features which
require <a data-link-type="dfn" href="#secure-context">secure contexts</a>, a simple boolean attribute is added to the
global object:</p>
<pre class="idl">partial interface <a class="idl-code" data-link-type="interface" href="http://www.w3.org/TR/dom/#interface-window">Window</a> {
readonly attribute boolean <dfn class="idl-code" data-dfn-for="Window" data-dfn-type="attribute" data-export="" data-readonly="" data-type="boolean " id="dom-window-issecurecontext">isSecureContext<a class="self-link" href="#dom-window-issecurecontext"></a></dfn>;
};
partial interface <a class="idl-code" data-link-type="interface" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope">WorkerGlobalScope</a> {
readonly attribute boolean <dfn class="idl-code" data-dfn-for="WorkerGlobalScope" data-dfn-type="attribute" data-export="" data-readonly="" data-type="boolean " id="dom-workerglobalscope-issecurecontext">isSecureContext<a class="self-link" href="#dom-workerglobalscope-issecurecontext"></a></dfn>;
};
</pre>
<p>Both <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/dom/#interface-window">Window</a></code>'s <code class="idl"><a data-link-type="idl" href="#dom-window-issecurecontext">isSecureContext</a></code> and <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope">WorkerGlobalScope</a></code>'s <code class="idl"><a data-link-type="idl" href="#dom-workerglobalscope-issecurecontext">isSecureContext</a></code> attribute’s getters return <code>true</code> if the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#relevant-settings-object-for-a-global-object">relevant settings object</a> for the getter’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#global-object">global object</a> is a <a data-link-type="dfn" href="#secure-context">secure context</a>, and <code>false</code> otherwise.</p>
</section>
<section>
<h2 class="heading settled" data-level="3" id="algorithms"><span class="secno">3. </span><span class="content">Algorithms</span><a class="self-link" href="#algorithms"></a></h2>
<h3 class="heading settled" data-level="3.1" id="settings-object"><span class="secno">3.1. </span><span class="content"> Is <var>settings object</var> a secure context? </span><a class="self-link" href="#settings-object"></a></h3>
<p>Given a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#settings-object">settings object</a> (<var>settings</var>), this algorithm returns
"<code>Secure</code>" if the object represents a context which the user agent fetched via
a secure channel, and "<code>Not Secure</code>" otherwise.</p>
<ol>
<li data-md="">
<p>Let <var>ancestors</var> be a list containing <var>settings</var>.</p>
<li data-md="">
<p>If <var>settings</var>' <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#global-object">global object</a> is a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope">WorkerGlobalScope</a></code>,
then:</p>
<ol>
<li data-md="">
<p>For each <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/dom/#interface-document">Document</a></code> (<var>document</var>) in <var>settings</var>' <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#global-object">global object</a>’s list of <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/workers.html#the-workers-documents">the worker’s <code>Documents</code></a>:</p>
<ol>
<li data-md="">
<p>Add each item in the result of executing <a href="#gather-ancestors">§3.3 Gather document’s relevant ancestors</a> on <var>document</var> to <var>ancestors</var>.</p>
</ol>
</ol>
<li data-md="">
<p>Otherwise, <var>settings</var>' <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#global-object">global object</a> is a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/dom/#interface-window">Window</a></code>, so:</p>
<ol>
<li data-md="">
<p>Add each item in the result of executing <a href="#gather-ancestors">§3.3 Gather document’s relevant ancestors</a> on <var>settings</var>' <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#responsible-document">responsible document</a> to <var>ancestors</var>.</p>
</ol>
<li data-md="">
<p>For each <var>ancestor settings</var> in <var>ancestors</var>:</p>
<ol>
<li data-md="">
<p>If <var>ancestor settings</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#https-state">HTTPS state</a> is "<code>modern</code>",
skip to the next <var>ancestor settings</var>.</p>
<li data-md="">
<p>Let <var>origin</var> be <var>ancestor settings</var>' <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6454#section-3.2">origin</a>.</p>
<li data-md="">
<p>If <var>origin</var> is a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6454#section-2.3">globally unique identifier</a>, set <var>origin</var> to the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-origin">origin</a> of <var>settings</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#creation-url">creation URL</a>.</p>
<p class="note" role="note">Note: We use the origin of the URL here in order to allow sandboxed
context to remain secure (as sandboxing is a strict reduction in the
context’s capabilities, and therefore to the risk it poses). This
covers scenarios such as <code><iframe sandbox src="http://localhost/"></code>.</p>
<li data-md="">
<p>If the result of executing the <a href="#is-origin-trustworthy">§3.2 Is origin potentially trustworthy?</a> algorithm
on <var>origin</var> is <strong>not</strong> <code>Potentially Trustworthy</code>, then return "<code>Not Secure</code>".</p>
</ol>
<li data-md="">
<p>Return "<code>Secure</code>".</p>
</ol>
<h3 class="heading settled" data-level="3.2" id="is-origin-trustworthy"><span class="secno">3.2. </span><span class="content"> Is <var>origin</var> potentially trustworthy? </span><a class="self-link" href="#is-origin-trustworthy"></a></h3>
<p>A <dfn data-dfn-type="dfn" data-export="" id="potentially-trustworthy-origin">potentially trustworthy origin<a class="self-link" href="#potentially-trustworthy-origin"></a></dfn> is one which a user agent
can generally trust as delivering data securely.</p>
<p>Certain origins are always potentially trustworthy. In particular, user agents
MUST treat <code>file</code> URLs and URLs with hostnames names equivalent to <code>localhost</code> as potentially trustworthy. In principle the user agent could
treat local files and local web servers as untrustworthy, but, <em>given the
information that is available to the user agent at runtime</em>, the resources
appear to have been transported securely. Additionally, treating such
resources as potentially trustworthy is convenient for developers building an
application before deploying it to the public.</p>
<p>A user agent MAY choose to extend this trust to other, vendor-specific URL
schemes like <code>app:</code> or <code>chrome-extension:</code>.</p>
<p>Given an <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6454#section-3.2">origin</a> <var>origin</var>, the following algorithm returns <code>Potentially Trustworthy</code> or <code>Not Trustworthy</code> as
appropriate.</p>
<ol>
<li data-md="">
<p>If <var>origin</var> is a <a data-link-type="dfn" href="https://w3c.github.io/webappsec/specs/mixedcontent/#potentially-secure-origin">potentially secure origin</a>, return <code>Potentially Trustworthy</code>.</p>
<p class="note" role="note">Note: The origin of <code>blob:</code> and <code>filesystem:</code> URLs
is the origin of the context in which they were created. Therefore,
blobs created in an potentially secure origin will themselves be
potentially secure. The origin of <code>data:</code> and <code>javascript:</code> URLs is an opaque identifier, which will not
be considered potentially secure.</p>
<li data-md="">
<p>If <var>origin</var>’s <code>host</code> component is or falls within <code>localhost.</code> <a data-link-type="biblio" href="#biblio-rfc6761">[RFC6761]</a>, return <code>Potentially
Trustworthy</code>.</p>
<li data-md="">
<p>If <var>origin</var>’s <code>host</code> component matches one of
the CIDR notations <code>127.0.0.0/8</code> or <code>::1/128</code> <a data-link-type="biblio" href="#biblio-rfc4632">[RFC4632]</a>, return <code>Potentially Trustworthy</code>.</p>
<li data-md="">
<p>If <var>origin</var>’s <code>scheme</code> component is <code>file</code>, return <code>Potentially Trustworthy</code>.</p>
<li data-md="">
<p>If <var>origin</var>’s <code>scheme</code> component is one which
the user agent considers to be authenticated, return <code>Potentially Trustworthy</code>.</p>
<p class="note" role="note">Note: See <a href="#packaged-applications">§6.1 Packaged Applications</a> for detail here.</p>
<li data-md="">
<p>If <var>origin</var> has been configured as a trustworthy origin,
return <code>Potentially Trustworthy</code>.</p>
<p class="note" role="note">Note: See <a href="#development-environments">§6.2 Development Environments</a> for detail here.</p>
<li data-md="">
<p>Return <code>Not Trusted</code>.</p>
</ol>
<h3 class="heading settled" data-level="3.3" id="gather-ancestors"><span class="secno">3.3. </span><span class="content"> Gather <var>document</var>’s relevant ancestors </span><a class="self-link" href="#gather-ancestors"></a></h3>
<p>Given a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/dom/#interface-document">Document</a></code> (<var>document</var>), this algorithm returns a list of <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#settings-object">settings objects</a> which ought to be considered when determining whether
or not <var>document</var> is a <a data-link-type="dfn" href="#secure-context">secure context</a>.</p>
<ol>
<li data-md="">
<p>Let <var>ancestors</var> be a list containing <var>document</var>’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#relevant-settings-object-for-a-global-object">relevant settings object</a>.</p>
<li data-md="">
<p>While <var>document</var> has a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#creator-document">creator <code>Document</code></a> <var>creator</var>:</p>
<ol>
<li data-md="">
<p>If <var>creator</var>’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#browsing-context">browsing context</a> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#ancestor-browsing-context">ancestor
browsing context</a> of <var>document</var>:</p>
<ol>
<li data-md="">
<p>Insert <var>creator</var>’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#relevant-settings-object-for-a-global-object">relevant settings object</a> into <var>ancestors</var>, unless <var>creator</var> is <a data-link-type="dfn" href="http://www.w3.org/TR/html5/embedded-content-0.html#an-iframe-srcdoc-document">an IFrame <code>srcdoc</code> <code>Document</code></a>.</p>
<li data-md="">
<p>Let <var>document</var> be <var>creator</var>.</p>
</ol>
<li data-md="">
<p>Otherwise, exit this loop.</p>
</ol>
<li data-md="">
<p>Return <var>ancestors</var>.</p>
</ol>
<p class="note" role="note">Note: When gathering a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/dom/#interface-document">Document</a></code>'s ancestors, we walk the browsing context
creation document chain, but stop when that chain spans across more than one <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/dom/#interface-window">Window</a></code>. That is, a newly opened window is evaluated on its own merits,
without regard for the status of the opener.</p>
</section>
<section>
<h2 class="heading settled" data-level="4" id="threat-models-risks"><span class="secno">4. </span><span class="content"> Threat models and risks </span><a class="self-link" href="#threat-models-risks"></a></h2>
<p><em>This section is non-normative.</em></p>
<h3 class="heading settled" data-level="4.1" id="threat-models"><span class="secno">4.1. </span><span class="content">Threat Models</span><a class="self-link" href="#threat-models"></a></h3>
<p>Granting permissions to unauthenticated origins is, in the presence of a
network attacker, equivalent to granting the permissions to any origin. The
state of the Internet is such that we must indeed assume that a network
attacker is present. Generally, network attackers fall into 2 classes:
passive and active.</p>
<h4 class="heading settled" data-level="4.1.1" id="threat-passive"><span class="secno">4.1.1. </span><span class="content">Passive Network Attacker</span><a class="self-link" href="#threat-passive"></a></h4>
<p>A "Passive Network Attacker" is a party who is able to observe traffic
flows but who lacks the ability or chooses not to modify traffic at
the layers which this specification is concerned with.</p>
<p>Surveillance of networks in this manner "subverts the intent of communicating
parties without the agreement of these parties" and one "cannot defend against
the most nefarious actors while allowing monitoring by other actors no matter
how benevolent some might consider them to be." <a data-link-type="biblio" href="#biblio-rfc7258">[RFC7258]</a> Therefore, the
algorithms defined in this document require mechansims that provide for the
privacy of data at the application layer, not simply integrity.</p>
<h4 class="heading settled" data-level="4.1.2" id="threat-active"><span class="secno">4.1.2. </span><span class="content">Active Network Attacker</span><a class="self-link" href="#threat-active"></a></h4>
<p>An "Active Network Attacker" has all the capabilities of a "Passive Network
Attacker" and is additionally able to modify, block or replay any data
transiting the network. These capabilities are available to potential
adversaries at many levels of capability, from compromised devices offering
or simply participating in public wireless networks, to Internet Service
Providers indirectly introducing security and privacy vulnerabilities while
manipulating traffic for financial gain (<a data-link-type="biblio" href="#biblio-verizon">[VERIZON]</a> and <a data-link-type="biblio" href="#biblio-comcast">[COMCAST]</a> are
recent examples), to parties with direct intent to compromise security or
privacy who are able to target individual users, organizations or even
entire populations.</p>
<h3 class="heading settled" data-level="4.2" id="threat-risks"><span class="secno">4.2. </span><span class="content">Risks associated with non-secure contexts</span><a class="self-link" href="#threat-risks"></a></h3>
<p>Certain web platform features that have a distinct impact on a user’s
security or privacy should be available for use only in <a data-link-type="dfn" href="#secure-context">secure
contexts</a> in order to defend against the threats above. Features
available in non-secure contexts risk exposing these capabilities to
network attackers:</p>
<ol>
<li> The ability to read and modify sensitive data (personally-identifying
information, credentials, payment instruments, and so on). <a data-link-type="biblio" href="#biblio-credential-management">[CREDENTIAL-MANAGEMENT]</a> is an example of an API that handles sensitive
data.
<li> The ability to read and modify input from sensors on a user’s device
(camera, microphone, and GPS being particularly noteworthy, but
certainly including less obviously dangerous sensors like the
accelerometer). <a data-link-type="biblio" href="#biblio-geolocation-api">[GEOLOCATION-API]</a> and <a data-link-type="biblio" href="#biblio-mediacapture-streams">[MEDIACAPTURE-STREAMS]</a> are
historical examples of features that use sensor input.
<li> The ability to access information about other devices a user
has access to. <a data-link-type="biblio" href="#biblio-discovery">[DISCOVERY]</a> and <a data-link-type="biblio" href="#biblio-bluetooth">[BLUETOOTH]</a> are good examples.
<li> The ability to track users using temporary or persistent identifiers,
including identifiers which reset themselves after some period of time
(e.g. <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/webstorage.html#the-sessionstorage-attribute">sessionStorage</a></code>), identifiers the user can manually reset
(e.g. <a data-link-type="biblio" href="#biblio-encrypted-media">[ENCRYPTED-MEDIA]</a>, Cookies <a data-link-type="biblio" href="#biblio-rfc6265">[RFC6265]</a>, and <a data-link-type="biblio" href="#biblio-indexeddb">[IndexedDB]</a>),
as well as identifying hardware features the user can’t easily reset.
<li> The ability to introduce some state for an origin which persists across
browsing sessions. <a data-link-type="biblio" href="#biblio-service-workers">[SERVICE-WORKERS]</a> is a great example.
<li> The ability to manipulate a user agent’s native UI in some way which
removes, obscures, or manipulates details relevant to a user’s
understanding of their context. <a data-link-type="biblio" href="#biblio-fullscreen">[FULLSCREEN]</a>, for instance.
<li> The ability to introduce some functionality for which user permission will
be required.
</ol>
<p>This list is non-exhaustive, but should give you a feel for the types of
risks we should consider when writing or implementing specifications.</p>
<p class="note" role="note">Note: While restricting a feature itself to <a data-link-type="dfn" href="#secure-context">secure contexts</a> is
critical, we ought not forget that facilities that carry such information
(such as new network access mechanisms, or other generic functions with access
to network data) are equally sensitive.</p>
</section>
<section>
<h2 class="heading settled" data-level="5" id="security-considerations"><span class="secno">5. </span><span class="content">Security Considerations</span><a class="self-link" href="#security-considerations"></a></h2>
<h3 class="heading settled" data-level="5.1" id="isolation"><span class="secno">5.1. </span><span class="content">Incomplete Isolation</span><a class="self-link" href="#isolation"></a></h3>
<p>The <a data-link-type="dfn" href="#secure-context">secure context</a> definition in this document does not completely
isolate a "secure" view on an origin from an "non-secure" view on the same
origin. That is, a developer who is actively working to bypass the secure
context restriction on a particular API will be able to create a <code>postMessage</code>-based shim if they’re willing to pop up a new window
and rely on its persistence (as the new window will be a new top-level
browsing context, and will be evaluated without regard for the opener’s
state).</p>
<p>More esoteric exfiltration methods will be available as well, ranging from
shared <code>localStorage</code> and related <code>storage</code> events to <code>window.name</code> tricks.</p>
</section>
<section>
<h2 class="heading settled" data-level="6" id="implementation-considerations"><span class="secno">6. </span><span class="content">Implementation Considerations</span><a class="self-link" href="#implementation-considerations"></a></h2>
<h3 class="heading settled" data-level="6.1" id="packaged-applications"><span class="secno">6.1. </span><span class="content">Packaged Applications</span><a class="self-link" href="#packaged-applications"></a></h3>
<p>User agents that support packaged applications MAY whitelist specific URL
schemes whose contents are authenticated by the user agent. For example,
FirefoxOS application resources are referred to by a URL whose <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a> component is <code>app:</code>. Likewise, Chrome’s extensions
and apps live on <code>chrome-extension:</code> schemes. These could reasonably be
considered trusted origins.</p>
<h3 class="heading settled" data-level="6.2" id="development-environments"><span class="secno">6.2. </span><span class="content">Development Environments</span><a class="self-link" href="#development-environments"></a></h3>
<p>In order to support developers who run staging servers on non-loopback hosts,
user agents MAY allow users to configure specific sets of origins as
trustworthy, even though <a href="#is-origin-trustworthy">§3.2 Is origin potentially trustworthy?</a> would normally return <code>Not Trusted</code>.</p>
<h3 class="heading settled" data-level="6.3" id="new"><span class="secno">6.3. </span><span class="content">Restricting New Features</span><a class="self-link" href="#new"></a></h3>
<p><em>This section is non-normative.</em></p>
<p>When writing a specification for new features, we recommend that authors
and editors guard sensitive APIs with checks against <a data-link-type="dfn" href="#secure-context">secure contexts</a>.
For example, something like the following might be a good approach:</p>
<div class="example" id="example-1611693b">
<a class="self-link" href="#example-1611693b"></a>
<ol>
<li>
If the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object">incumbent settings object</a> is <em>not</em> a <a data-link-type="dfn" href="#secure-context">secure
context</a>, then:
<ol>
<li> [<i>insert something appropriate here: perhaps a Promise could be
rejected with a <code>SecurityError</code>, an error callback could be called,
a permission request denied, etc.</i>].
</ol>
</ol>
</div>
<h3 class="heading settled" data-level="6.4" id="legacy"><span class="secno">6.4. </span><span class="content">Restricting Legacy Features</span><a class="self-link" href="#legacy"></a></h3>
<p><em>This section is non-normative.</em></p>
<p>The list above clearly includes some existing functionality that is currently
available to the web over non-secure channels. We recommend that such legacy
functionality begin requiring a <a data-link-type="dfn" href="#secure-context">secure context</a> as quickly as is
reasonably possible.</p>
<ol>
<li data-md="">
<p>If such a feature is not widely implemented, we recommend that the
specification be immediately <a data-link-type="dfn" href="http://www.w3.org/2014/Process-20140801/#rec-modify">modified</a> to include a restriction
to <a data-link-type="dfn" href="#secure-context">secure contexts</a>.</p>
<li data-md="">
<p>If such a feature is widely implemented, but not yet in wide use, we
recommend that it be quickly restricted to <a data-link-type="dfn" href="#secure-context">secure contexts</a> by
adding a check as described in <a href="#new">§6.3 Restricting New Features</a> to existing implementations, and <a data-link-type="dfn" href="http://www.w3.org/2014/Process-20140801/#rec-modify">modifying the specification</a> accordingly.</p>
<li data-md="">
<p>If such a feature is in wide use, we recommend that the existing
functionality be deprecated; the specification should be <a data-link-type="dfn" href="http://www.w3.org/2014/Process-20140801/#rec-modify">modified</a> to note that it does not
conform to the restrictions outlined in this document, and a plan should
be developed to both offer a conformant version of the feature and to
migrate existing users into that new version.</p>
</ol>
<h4 class="heading settled" data-level="6.4.1" id="legacy-example"><span class="secno">6.4.1. </span><span class="content">Example: Geolocation</span><a class="self-link" href="#legacy-example"></a></h4>
<p>The <a data-link-type="biblio" href="#biblio-geolocation-api">[GEOLOCATION-API]</a> is a good concrete example of such an feature; it is
widely implemented and used on a large number of non-secure sites. A reasonable
path forward might look like this:</p>
<ol>
<li data-md="">
<p><a data-link-type="dfn" href="http://www.w3.org/2014/Process-20140801/#rec-modify">Modify</a> the specification to include
checks against <a data-link-type="dfn" href="#secure-context">secure context</a> before executing the algorithms for <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/geolocation-API/#get-current-position">getCurrentPosition()</a></code> and <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/geolocation-API/#watch-position">watchPosition()</a></code>.</p>
<p>If the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object">incumbent settings object</a> is not a <a data-link-type="dfn" href="#secure-context">secure context</a>,
then the algorithms should be aborted, and the <var>errorCallback</var> invoked with a <code>code</code> of <code>PERMISSION_DENIED</code>.</p>
<li data-md="">
<p>User agents should announce clear intentions to disable the API for
non-secure contexts on a specific date, and warn developers accordingly
(via console messages, for example).</p>
<li data-md="">
<p>Leading up to the flag day, user agents should announce a deprecation
schedule to ensure both that site authors recognize the need to modify
their code before it simply stops working altogether, and to protect
users in the meantime. Such a plan might include any or all of:</p>
<ol>
<li data-md="">
<p>Disallowing persistent permission grants to non-secure origins</p>
<li data-md="">
<p>Coarsening the accuracy of the API for non-secure origins (perhaps
consistently returning city-level data rather than high-accuracy
data)</p>
<li data-md="">
<p>UI modifications to inform users and site authors of the risk</p>
</ol>
</ol>
</section>
<section>
<h2 class="heading settled" data-level="7" id="acknowledgements"><span class="secno">7. </span><span class="content">Acknowledgements</span><a class="self-link" href="#acknowledgements"></a></h2>
<p>This document is largely based on the Chrome Security team’s work on <a data-link-type="biblio" href="#biblio-powerful-new-features">[POWERFUL-NEW-FEATURES]</a>. Chris Palmer, Ryan Sleevi, and David Dorwin have
been particularly engaged. Anne van Kesteren, Boris Zbarsky, and Henri Sivonen
have also provided very helpful feedback.</p>
</section>
</main>
<h2 class="no-ref no-num heading settled" id="conformance"><span class="content">Conformance</span><a class="self-link" href="#conformance"></a></h2>
<h3 class="no-ref no-num heading settled" id="conventions"><span class="content">Document conventions</span><a class="self-link" href="#conventions"></a></h3>
<p>Conformance requirements are expressed with a combination of
descriptive assertions and RFC 2119 terminology. The key words "MUST",
"MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in the normative parts of this
document are to be interpreted as described in RFC 2119.
However, for readability, these words do not appear in all uppercase
letters in this specification. </p>
<p>All of the text of this specification is normative except sections
explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a></p>
<p>Examples in this specification are introduced with the words "for example"
or are set apart from the normative text with <code>class="example"</code>,
like this: </p>
<div class="example" id="example-f839f6c8">
<a class="self-link" href="#example-f839f6c8"></a>
<p>This is an example of an informative example.</p>
</div>
<p>Informative notes begin with the word "Note" and are set apart from the
normative text with <code>class="note"</code>, like this: </p>
<p class="note" role="note">Note, this is an informative note.</p>
<h3 class="no-ref no-num heading settled" id="conformant-algorithms"><span class="content">Conformant Algorithms</span><a class="self-link" href="#conformant-algorithms"></a></h3>
<p>Requirements phrased in the imperative as part of algorithms (such as
"strip any leading space characters" or "return false and abort these
steps") are to be interpreted with the meaning of the key word ("must",
"should", "may", etc) used in introducing the algorithm.</p>
<p>Conformance requirements phrased as algorithms or specific steps can be
implemented in any manner, so long as the end result is equivalent. In
particular, the algorithms defined in this specification are intended to
be easy to understand and are not intended to be performant. Implementers
are encouraged to optimize.</p>
<h2 class="no-num heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
<h3 class="no-num heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
<ul class="indexlist">
<li>
isSecureContext
<ul>
<li><a href="#dom-window-issecurecontext">attribute for Window</a><span>, in §2.1.2</span>
<li><a href="#dom-workerglobalscope-issecurecontext">attribute for WorkerGlobalScope</a><span>, in §2.1.2</span>
</ul>
<li><a href="#non-secure-context">non-secure context</a><span>, in §2</span>
<li><a href="#potentially-trustworthy-origin">potentially trustworthy origin</a><span>, in §3.2</span>
<li><a href="#secure-context">secure context</a><span>, in §2</span>
</ul>
<h3 class="no-num heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
<ul class="indexlist">
<li>
<a data-link-type="biblio" href="#biblio-dom">[dom]</a> defines the following terms:
<ul>
<li><a href="http://www.w3.org/TR/dom/#interface-document">Document</a>
<li><a href="http://www.w3.org/TR/dom/#interface-window">Window</a>
</ul>
<li>
<a data-link-type="biblio" href="#biblio-geolocation-api">[geolocation-API]</a> defines the following terms:
<ul>
<li><a href="http://www.w3.org/TR/geolocation-API/#get-current-position">getCurrentPosition()</a>
<li><a href="http://www.w3.org/TR/geolocation-API/#watch-position">watchPosition()</a>
</ul>
<li>
<a data-link-type="biblio" href="#biblio-html">[HTML]</a> defines the following terms:
<ul>
<li><a href="https://html.spec.whatwg.org/multipage/workers.html#dom-sharedworker">SharedWorker()</a>
<li><a href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope">WorkerGlobalScope</a>
<li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#creation-url">creation url</a>
<li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#https-state">https state</a>
<li><a href="https://html.spec.whatwg.org/multipage/workers.html#the-workers-documents">the worker's documents</a>
</ul>
<li>
<a data-link-type="biblio" href="#biblio-html5">[html5]</a> defines the following terms:
<ul>
<li><a href="http://www.w3.org/TR/html5/embedded-content-0.html#an-iframe-srcdoc-document">an iframe srcdoc document</a>
<li><a href="http://www.w3.org/TR/html5/browsers.html#ancestor-browsing-context">ancestor browsing context</a>
<li><a href="http://www.w3.org/TR/html5/browsers.html#browsing-context">browsing context</a>
<li><a href="http://www.w3.org/TR/html5/browsers.html#creator-document">creator document</a>
<li><a href="http://www.w3.org/TR/html5/webappapis.html#global-object">global object</a>
<li><a href="http://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object">incumbent settings object</a>
<li><a href="http://www.w3.org/TR/html5/webappapis.html#relevant-settings-object-for-a-global-object">relevant settings object</a>
<li><a href="http://www.w3.org/TR/html5/webappapis.html#responsible-document">responsible document</a>
<li><a href="http://www.w3.org/TR/html5/webstorage.html#the-sessionstorage-attribute">sessionStorage</a>
<li><a href="http://www.w3.org/TR/html5/webappapis.html#settings-object">settings object</a>
<li><a href="http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context">top-level browsing context</a>
</ul>
<li>
<a data-link-type="biblio" href="#biblio-mix">[MIX]</a> defines the following terms:
<ul>
<li><a href="https://w3c.github.io/webappsec/specs/mixedcontent/#potentially-secure-origin">potentially secure origin</a>
</ul>
<li>
<a data-link-type="biblio" href="#biblio-rfc6454">[RFC6454]</a> defines the following terms:
<ul>
<li><a href="https://tools.ietf.org/html/rfc6454#section-2.3">globally unique identifier</a>
<li><a href="https://tools.ietf.org/html/rfc6454#section-3.2">origin</a>
</ul>
<li>
<a data-link-type="biblio" href="#biblio-url">[URL]</a> defines the following terms:
<ul>
<li><a href="https://url.spec.whatwg.org/#concept-url-origin">origin of a url</a>
<li><a href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a>
</ul>
<li>
<a data-link-type="biblio" href="#biblio-w3c-process">[W3C-PROCESS]</a> defines the following terms:
<ul>
<li><a href="http://www.w3.org/2014/Process-20140801/#rec-modify">modify a specification</a>
</ul>
</ul>
<h2 class="no-num heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
<h3 class="no-num heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
<dl>
<dt id="biblio-html"><a class="self-link" href="#biblio-html"></a>[HTML]
<dd>Ian Hickson. <a href="https://html.spec.whatwg.org/multipage/">HTML Standard</a>. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a>
<dt id="biblio-mix"><a class="self-link" href="#biblio-mix"></a>[MIX]
<dd>Mike West. <a href="https://w3c.github.io/webappsec/specs/mixedcontent/">Mixed Content</a>. LCWD. URL: <a href="https://w3c.github.io/webappsec/specs/mixedcontent/">https://w3c.github.io/webappsec/specs/mixedcontent/</a>
<dt id="biblio-rfc4632"><a class="self-link" href="#biblio-rfc4632"></a>[RFC4632]
<dd>Vince Fuller; Tony Li. <a href="http://www.ietf.org/rfc/rfc4632.txt">Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc4632.txt">http://www.ietf.org/rfc/rfc4632.txt</a>
<dt id="biblio-rfc6454"><a class="self-link" href="#biblio-rfc6454"></a>[RFC6454]
<dd>Adam Barth. <a href="http://www.ietf.org/rfc/rfc6454.txt">The Web Origin Concept</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc6454.txt">http://www.ietf.org/rfc/rfc6454.txt</a>
<dt id="biblio-rfc6761"><a class="self-link" href="#biblio-rfc6761"></a>[RFC6761]
<dd>Stuart Cheshire; Marc Krochmal. <a href="http://www.ietf.org/rfc/rfc6761.txt">Special-Use Domain Names</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc6761.txt">http://www.ietf.org/rfc/rfc6761.txt</a>
<dt id="biblio-url"><a class="self-link" href="#biblio-url"></a>[URL]
<dd>Anne van Kesteren. <a href="https://url.spec.whatwg.org/">URL</a>. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a>
<dt id="biblio-w3c-process"><a class="self-link" href="#biblio-w3c-process"></a>[W3C-PROCESS]
<dd>Charles McCathie Nevile. <a href="http://www.w3.org/2014/Process-20140801/">World Wide Web Consortium Process Document</a>. URL: <a href="http://www.w3.org/2014/Process-20140801/">http://www.w3.org/2014/Process-20140801/</a>
<dt id="biblio-dom"><a class="self-link" href="#biblio-dom"></a>[DOM]
<dd>Anne van Kesteren; et al. <a href="http://www.w3.org/TR/dom/">W3C DOM4</a>. 18 June 2015. LCWD. URL: <a href="http://www.w3.org/TR/dom/">http://www.w3.org/TR/dom/</a>
<dt id="biblio-geolocation-api"><a class="self-link" href="#biblio-geolocation-api"></a>[geolocation-API]
<dd>Andrei Popescu. <a href="http://www.w3.org/TR/geolocation-API/">Geolocation API Specification</a>. 28 May 2015. PER. URL: <a href="http://www.w3.org/TR/geolocation-API/">http://www.w3.org/TR/geolocation-API/</a>
<dt id="biblio-html5"><a class="self-link" href="#biblio-html5"></a>[HTML5]
<dd>Ian Hickson; et al. <a href="http://www.w3.org/TR/html5/">HTML5</a>. 28 October 2014. REC. URL: <a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a>
<dt id="biblio-rfc2119"><a class="self-link" href="#biblio-rfc2119"></a>[RFC2119]
<dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
</dl>
<h3 class="no-num heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
<dl>
<dt id="biblio-bluetooth"><a class="self-link" href="#biblio-bluetooth"></a>[BLUETOOTH]
<dd>Jeffrey Yasskin; Vincent Scheib. <a href="https://webbluetoothcg.github.io/web-bluetooth/">Web Bluetooth</a>. URL: <a href="https://webbluetoothcg.github.io/web-bluetooth/">https://webbluetoothcg.github.io/web-bluetooth/</a>
<dt id="biblio-comcast"><a class="self-link" href="#biblio-comcast"></a>[COMCAST]
<dd>David Kravets. <a href="http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/">Comcast Wi-Fi serving self-promotional ads via JavaScript injection</a>. URL: <a href="http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/">http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/</a>
<dt id="biblio-credential-management"><a class="self-link" href="#biblio-credential-management"></a>[CREDENTIAL-MANAGEMENT]
<dd>Mike West. <a href="https://w3c.github.io/webappsec/specs/credentialmanagement/">Credential Management</a>. ED. URL: <a href="https://w3c.github.io/webappsec/specs/credentialmanagement/">https://w3c.github.io/webappsec/specs/credentialmanagement/</a>
<dt id="biblio-discovery"><a class="self-link" href="#biblio-discovery"></a>[DISCOVERY]
<dd>Rich Tibbett. <a href="https://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html">Network Service Discovery</a>. URL: <a href="https://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html">https://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html</a>
<dt id="biblio-indexeddb"><a class="self-link" href="#biblio-indexeddb"></a>[IndexedDB]
<dd>Nikunj Mehta; et al. <a href="http://www.w3.org/TR/IndexedDB/">Indexed Database API</a>. 8 January 2015. REC. URL: <a href="http://www.w3.org/TR/IndexedDB/">http://www.w3.org/TR/IndexedDB/</a>
<dt id="biblio-powerful-new-features"><a class="self-link" href="#biblio-powerful-new-features"></a>[POWERFUL-NEW-FEATURES]
<dd>Chrome Security Team. <a href="https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features">Prefer Secure Origins For Powerful New Features</a>. URL: <a href="https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features">https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features</a>
<dt id="biblio-rfc7258"><a class="self-link" href="#biblio-rfc7258"></a>[RFC7258]
<dd>Stephen Farrell; Hannes Tschofenig. <a href="http://www.ietf.org/rfc/rfc7258.txt">Pervasive Monitoring Is an Attack</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc7258.txt">http://www.ietf.org/rfc/rfc7258.txt</a>
<dt id="biblio-verizon"><a class="self-link" href="#biblio-verizon"></a>[VERIZON]
<dd>Mark Bergen; Alex Kantrowitz. <a href="http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/">Verizon looks to target its mobile subscribers with ads</a>. URL: <a href="http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/">http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/</a>
<dt id="biblio-encrypted-media"><a class="self-link" href="#biblio-encrypted-media"></a>[ENCRYPTED-MEDIA]
<dd>David Dorwin; et al. <a href="http://www.w3.org/TR/encrypted-media/">Encrypted Media Extensions</a>. 31 March 2015. WD. URL: <a href="http://www.w3.org/TR/encrypted-media/">http://www.w3.org/TR/encrypted-media/</a>
<dt id="biblio-fullscreen"><a class="self-link" href="#biblio-fullscreen"></a>[FULLSCREEN]
<dd>Anne van Kesteren; Tantek Çelik. <a href="http://www.w3.org/TR/fullscreen/">Fullscreen</a>. 18 November 2014. NOTE. URL: <a href="http://www.w3.org/TR/fullscreen/">http://www.w3.org/TR/fullscreen/</a>
<dt id="biblio-mediacapture-streams"><a class="self-link" href="#biblio-mediacapture-streams"></a>[MEDIACAPTURE-STREAMS]
<dd>Daniel Burnett; et al. <a href="http://www.w3.org/TR/mediacapture-streams/">Media Capture and Streams</a>. 14 April 2015. LCWD. URL: <a href="http://www.w3.org/TR/mediacapture-streams/">http://www.w3.org/TR/mediacapture-streams/</a>
<dt id="biblio-rfc6265"><a class="self-link" href="#biblio-rfc6265"></a>[RFC6265]
<dd>A. Barth. <a href="https://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a>. April 2011. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6265">https://tools.ietf.org/html/rfc6265</a>
<dt id="biblio-service-workers"><a class="self-link" href="#biblio-service-workers"></a>[SERVICE-WORKERS]
<dd>Alex Russell; Jungkee Song; Jake Archibald. <a href="http://www.w3.org/TR/service-workers/">Service Workers</a>. 25 June 2015. WD. URL: <a href="http://www.w3.org/TR/service-workers/">http://www.w3.org/TR/service-workers/</a>
</dl>
<h2 class="no-num heading settled" id="idl-index"><span class="content">IDL Index</span><a class="self-link" href="#idl-index"></a></h2>
<pre class="idl">partial interface <a class="idl-code" data-link-type="interface" href="http://www.w3.org/TR/dom/#interface-window">Window</a> {
readonly attribute boolean <a data-readonly="" data-type="boolean " href="#dom-window-issecurecontext">isSecureContext</a>;
};
partial interface <a class="idl-code" data-link-type="interface" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope">WorkerGlobalScope</a> {
readonly attribute boolean <a data-readonly="" data-type="boolean " href="#dom-workerglobalscope-issecurecontext">isSecureContext</a>;
};
</pre>
</body>
</html>