diff --git a/specs/mixedcontent/index.html b/specs/mixedcontent/index.html index 7d3729b1..f703e5aa 100644 --- a/specs/mixedcontent/index.html +++ b/specs/mixedcontent/index.html @@ -53,7 +53,7 @@

Mixed Content

Editor’s Draft, - 20 August 2014

+ 22 August 2014
This version:
https://w3c.github.io/webappsec/specs/mixedcontent/ @@ -148,7 +148,9 @@

  • 5.1 Does environment restrict mixed content?
  • 5.2 Should fetching request be blocked as mixed content? -
  • 5.3 Should response to request be blocked as mixed content? +
  • 5.3 Should response to request be blocked as mixed content? +
  • 5.4 Is origin an authenticated origin? +
  • 5.5 Is environment an authenticated environment?
  • 6 Integration with Fetch
  • 7 Modifications to WebSockets
  • 8 Acknowledgements @@ -408,6 +410,31 @@

    Note: We recommend that user agents return network errors rather than fetching resources whose TLS-protection is deprecated.

    • + +
    + authenticated origin +
    +
    + authenticated environment +
    +
    + An origin can be called authenticated when it either + refers to a source which is impossible not to trust (e.g. + localhost), or to a source which can be adequately verified + as authentic. + +

    A JavaScript global environment can be called + authenticated if its origin is + authenticated.

    + +

    These are spelled out in more detail in the + §5.4 + Is origin an authenticated origin? + and §5.5 + Is environment an authenticated environment? + + algorithms. +

    2.2 Terms defined by reference

    @@ -485,6 +512,14 @@

    Section 2.2.2 of the HTML5 specification. [HTML5] + +
    document environment
    +
    worker environment
    +
    + These terms are defined in + Section 6.1.3.1 of the + HTML5 specification. [[!!HTML5]] +
    @@ -1013,7 +1048,109 @@

    Return allowed. - + +
    +

    5.4 + Is origin an authenticated origin? +

    + +

    Given an origin origin, this algorithm returns + authenticated if the origin is an authenticated origin, + and unauthenticated otherwise.

    + +
      +
    1. + If origin is not an insecure origin, + return authenticated. +
      2. +
    2. + If origin’s host component is + localhost, return + authenticated. +
      3. +
    3. + If origin’s host component matches one of the + CIDR notations 127.0.0.0/8 or ::1/128 + [RFC4632], return authenticated. +
      4. +
    4. + If origin’s scheme component is + file, return authenticated. +
      5. +
    5. + If origin’s scheme component is one which the + user agent considers to be authenticated, return + authenticated. +
      6. +
    6. + Return unauthenticated. +
      7. +
    + +

    Note: The origin of blob: and filesystem: URLs + is the origin of the context in which they were created. Therefore, blobs + created in an authenticated origin will themselves be authenticated.

    + +

    Note: Step #5 above is meant to cover vendor-specific URL schemes whose + contents are authenticated by the user agent. For example, FirefoxOS + application resources are referred to with an URL whose scheme + component is app:. Likewise, Chrome’s extensions and apps + live on chrome-extension: schemes. These could reasonably + be considered authenticated origins.

    +
    + +
    +

    5.5 + Is environment an authenticated environment? +

    + +

    Given a JavaScript global environment environment, this + algorithm returns authenticated if the environment is an + authenticated environment, and unauthenticated + otherwise.

    + +
      +
    1. + Let origin be the origin specified by + environment’s entry settings object. +
      2. +
    2. + If environment is a document environment: + +
        +
      1. + Let document be the Document object of the + active document of the browsing context of + environment’s global object. +
        2. +
      2. + If document’s active sandboxing flag set has its + sandboxed origin browsing context flag set: + +
          +
        1. + Set origin to the origin of + document’s address. +
          2. +
        +
        3. +
      +
      3. +
    3. + Return the result of executing the §5.4 + Is origin an authenticated origin? + + algorithm on origin. +
      4. +
    +
    + +

    Note: Sandboxed documents will have a unique origin. This algorithm uses the + location of a sandboxed document to determine whether it should be considered + authenticated. That is, the document inside + <iframe src="https://example.com/" sandbox="allow-script"> + would be considered to have an authenticated environment. +

    @@ -1210,6 +1347,8 @@

  • a priori insecure, 2.1
  • a priori insecure origin, 2.1
  • a priori insecure URL, 2.1 +
  • authenticated environment, 2.1 +
  • authenticated origin, 2.1
  • blockable, 3.2
  • blockable content, 3.2
  • blockable request contexts, 3.2 @@ -1219,6 +1358,7 @@

  • context, 2.2
  • deprecated, 2.1
  • deprecated TLS-protection, 2.1 +
  • document environment, 2.2
  • fetch, 2.2
  • frame type, 2.2
  • global environment, 2.2 @@ -1258,6 +1398,7 @@

  • unsecured environment, 2.1
  • weak, 2.2
  • weakly TLS-protected, 2.2 +
  • worker environment, 2.2

    • diff --git a/specs/mixedcontent/index.src.html b/specs/mixedcontent/index.src.html index 76045a03..304fae30 100644 --- a/specs/mixedcontent/index.src.html +++ b/specs/mixedcontent/index.src.html @@ -7,7 +7,7 @@

    Mixed Content

    Editor: Mike West, Google Inc., mkwst@google.com Group: webappsec Abstract: This specification describes how and why user agents disallow rendering and execution of content loaded over unencrypted or unauthenticated connections in the context of an encrypted and authenticated document. -Link Defaults: HTML5 (dfn) plugin / browsing context / parent browsing context / nested browsing contexts / top-level browsing context / plugin document / frame / sandboxing flag set / ancestor / navigated +Link Defaults: HTML5 (dfn) plugin / browsing context / parent browsing context / nested browsing contexts / top-level browsing context / plugin document / frame / sandboxing flag set / ancestor / navigated / entry settings object / active document / global object / sandboxed origin browsing context flag Link Defaults: HTML5 (interface) document Link Defaults: HTML5 (element) audio / iframe / video / source / track / script Version History: https://github.com/w3c/webappsec/commits/master/specs/mixedcontent/index.src.html @@ -271,6 +271,27 @@

    Terms defined by this specification

    Note: We recommend that user agents return network errors rather than fetching resources whose TLS-protection is deprecated. + +
    + authenticated origin +
    +
    + authenticated environment +
    +
    + An origin can be called authenticated when it either + refers to a source which is impossible not to trust (e.g. + localhost), or to a source which can be adequately verified + as authentic. + + A JavaScript global environment can be called + authenticated if its origin is + authenticated. + + These are spelled out in more detail in the + [[#is-origin-authenticated]] and [[#is-environment-authenticated]] + algorithms. +

    Terms defined by reference

    @@ -348,6 +369,14 @@

    Terms defined by reference

    Section 2.2.2 of the HTML5 specification. [[!HTML5]] + +
    document environment
    +
    worker environment
    +
    + These terms are defined in + Section 6.1.3.1 of the + HTML5 specification. [[!!HTML5]] +
    @@ -888,6 +917,106 @@

  • Return allowed.
    • + +
    +

    + Is origin an authenticated origin? +

    + + Given an origin origin, this algorithm returns + authenticated if the origin is an authenticated origin, + and unauthenticated otherwise. + +
      +
    1. + If origin is not an insecure origin, + return authenticated. +
      2. +
    2. + If origin's host component is + localhost, return + authenticated. +
      3. +
    3. + If origin's host component matches one of the + CIDR notations 127.0.0.0/8 or ::1/128 + [[!RFC4632]], return authenticated. +
      4. +
    4. + If origin's scheme component is + file, return authenticated. +
      5. +
    5. + If origin's scheme component is one which the + user agent considers to be authenticated, return + authenticated. +
      6. +
    6. + Return unauthenticated. +
      7. +
    + + Note: The origin of blob: and filesystem: URLs + is the origin of the context in which they were created. Therefore, blobs + created in an authenticated origin will themselves be authenticated. + + Note: Step #5 above is meant to cover vendor-specific URL schemes whose + contents are authenticated by the user agent. For example, FirefoxOS + application resources are referred to with an URL whose scheme + component is app:. Likewise, Chrome's extensions and apps + live on chrome-extension: schemes. These could reasonably + be considered authenticated origins. +
    + +
    +

    + Is environment an authenticated environment? +

    + + Given a JavaScript global environment environment, this + algorithm returns authenticated if the environment is an + authenticated environment, and unauthenticated + otherwise. + +
      +
    1. + Let origin be the origin specified by + environment's entry settings object. +
      2. +
    2. + If environment is a document environment: + +
        +
      1. + Let document be the {{Document}} object of the + active document of the browsing context of + environment's global object. +
        2. +
      2. + If document's active sandboxing flag set has its + sandboxed origin browsing context flag set: + +
          +
        1. + Set origin to the origin of + document's address. +
          2. +
        +
        3. +
      +
      3. +
    3. + Return the result of executing the [[#is-origin-authenticated]] + algorithm on origin. +
      4. +
    +
    + + Note: Sandboxed documents will have a unique origin. This algorithm uses the + location of a sandboxed document to determine whether it should be considered + authenticated. That is, the document inside + <iframe src="https://example.com/" sandbox="allow-script"> + would be considered to have an authenticated environment.