From 58921e0254b0f46e1d0ac53a6fa84afe14397d0c Mon Sep 17 00:00:00 2001
From: Mike West
Copyright © 2014 W3C® @@ -126,7 +126,7 @@
Document
or environment settings object is considered
- sufficiently secure to use powerful features if
- and only if the algorithm defined in §4.1
+ A Document
is considered sufficiently secure if
+ the algorithm defined in §4.1
Is Document a sufficiently secure context?
-
- or §4.2
- Is environment settings object a sufficiently secure context?
- , respectively, returns
+ returns
Sufficiently Secure
when executed upon it.
-The goal of the normative algorithms noted above is that - powerful features only be enabled in the - context of an origin with one or more of the following - characteristics:
- - -Note: URLs that do not use
- hierarchical
- elements as naming authorities (for example: blob:
, and
- data:
) have origins which are globally unique identifiers
- [URI].
Likewise, a settings object is considered sufficiently
+ secure if the algorithm defined in
+ §4.2
+ Is settings object a sufficiently secure context?
+ returns Sufficiently
+ Secure
when executed upon it.
Document
A, the embedding
- document of A is the Document
+ Given a Document
A, the embedding
+ document of A is the Document
through which A’s browsing
context is nested.
An origin defines the scope of authority or privilege + under which a resource operates. It boils down to a tuple of scheme, host, + and port. The concept is defined in detail in [RFC6454].
+ +A potentially secure origin is an origin that isn’t + insecure a priori, defined in detail in [MIX].
+ +The TLS State of a Response
is
+ defined in [FETCH].
The following terms are defined in [HTML5]:
+ +Document
Given a Document
document, this algorithm returns
- Sufficiently Secure
if the Document
represents a
- sufficiently secure context or Insecure
otherwise.
Given a Document
document, this algorithm returns
+ Sufficiently Secure
if the Document
represents a
+ sufficiently secure context or Insecure
otherwise.
Document
.
+ context’s browsing context container’s Document
.
Insecure
, return
@@ -407,11 +369,11 @@ true
.
Given an environment settings object settings, this
- algorithm returns Sufficiently Secure
if the object represents
- a sufficiently secure context, and Insecure
otherwise.
Given an settings object settings, this algorithm returns
+ Sufficiently Secure
if the object represents a sufficiently
+ secure context, and Insecure
otherwise.
authenticated
, return Sufficiently Secure
.
app:
or chrome-extension:
.
-Given an origin origin, the following algorithm returns +
Given an origin origin, the following algorithm returns
Potentially Trustworthy
or Not Trustworthy
as
appropriate.
Potentially Trustworthy
.
Note: The origin of blob:
and filesystem:
URLs
@@ -618,7 +580,7 @@
localStorage
, IndexedDB, etc, which all persist state (and
potentially identifiers) across browsing sessions. They’re certainly not
features we can reasonably limit to secure contexts in the forseeable future.
diff --git a/specs/powerfulfeatures/index.src.html b/specs/powerfulfeatures/index.src.html
index 2508644d..0db0b843 100644
--- a/specs/powerfulfeatures/index.src.html
+++ b/specs/powerfulfeatures/index.src.html
@@ -24,7 +24,7 @@ [ @@ -56,6 +56,13 @@Requirements for Powerful Features
"shortname": "html5", "level": 0 }, + { + "linkingText": "origin", + "type": "dfn", + "url": "https://tools.ietf.org/html/rfc6454#section-3.2", + "shortname": "RFC6454", + "level": 0 + }, { "linkingText": "nested through", "type": "dfn", @@ -63,6 +70,13 @@Requirements for Powerful Features
"shortname": "html5", "level": 0 }, + { + "linkingText": "potentially secure origin", + "type": "dfn", + "url": "http://www.w3.org/TR/mixed-content/#potentially-secure-origin", + "shortname": "MIX", + "level": 0 + }, { "linkingText": "sandboxed origin browsing context flag", "type": "dfn", @@ -77,6 +91,20 @@Requirements for Powerful Features
"shortname": "html5", "level": 0 }, + { + "linkingText": "settings object", + "type": "dfn", + "url": "http://www.w3.org/TR/html5/webappapis.html#settings-object", + "shortname": "html5", + "level": 0 + }, + { + "linkingText": "tls state", + "type": "dfn", + "url": "https://fetch.spec.whatwg.org/#concept-response-tls-state", + "shortname": "FETCH", + "level": 0 + }, { "linkingText": "top-level browsing context", "type": "dfn", @@ -87,7 +115,7 @@Requirements for Powerful Features
]
[ @@ -97,6 +125,13 @@@@ -143,88 +178,23 @@Requirements for Powerful Features
"url": "http://www.w3.org/TR/html5/dom.html#the-document-object", "shortname": "html5", "level": 0 + }, + { + "linkingText": "response", + "type": "interface", + "url": "https://fetch.spec.whatwg.org/#response-class", + "shortname": "FETCH", + "level": 0 } ]
Sufficiently Secure
when executed upon it.
- The goal of the normative algorithms noted above is that
- powerful features only be enabled in the
- context of an origin with one or more of the following
- characteristics:
-
- https
, wss
,
- or file
.
- 127.0.0.0/8
or ::1/128
) [[!RFC6890]].
- blob:
, and
- data:
) have origins which are globally unique identifiers
- [[URI]].
- Sufficiently
+ Secure
when executed upon it.
Sufficiently Secure
if the object represents
- a sufficiently secure context, and Insecure
otherwise.
+ Given an settings object settings, this algorithm returns
+ Sufficiently Secure
if the object represents a sufficiently
+ secure context, and Insecure
otherwise.