-
Notifications
You must be signed in to change notification settings - Fork 28
/
CR.html
1603 lines (1580 loc) · 118 KB
/
CR.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!doctype html><html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
<title>Secure Contexts</title>
<meta content="CR" name="w3c-status">
<link href="https://www.w3.org/StyleSheets/TR/2016/W3C-CR" rel="stylesheet" type="text/css">
<meta content="Bikeshed 1.0.0" name="generator">
<style>
.secure {
fill: #8F8;
}
.non-secure {
fill: #F88;
stroke-dasharray: 5,5;
}
rect, circle {
stroke-width: 2;
stroke: black;
fill-opacity: 0.75;
}
text {
font-family: monospace;
}
text.rejection {
fill: #F00;
font-weight: 700;
font-size: 2em;
}
g path {
stroke-width: 2px;
stroke: #666;
fill-opacity: 0;
stroke-dasharray: 5px, 5px;
}
</style>
<style>/* style-md-lists */
/* This is a weird hack for me not yet following the commonmark spec
regarding paragraph and lists. */
[data-md] > :first-child {
margin-top: 0;
}
[data-md] > :last-child {
margin-bottom: 0;
}</style>
<style>/* style-selflinks */
.heading, .issue, .note, .example, li, dt {
position: relative;
}
a.self-link {
position: absolute;
top: 0;
left: calc(-1 * (3.5rem - 26px));
width: calc(3.5rem - 26px);
height: 2em;
text-align: center;
border: none;
transition: opacity .2s;
opacity: .5;
}
a.self-link:hover {
opacity: 1;
}
.heading > a.self-link {
font-size: 83%;
}
li > a.self-link {
left: calc(-1 * (3.5rem - 26px) - 2em);
}
dfn > a.self-link {
top: auto;
left: auto;
opacity: 0;
width: 1.5em;
height: 1.5em;
background: gray;
color: white;
font-style: normal;
transition: opacity .2s, background-color .2s, color .2s;
}
dfn:hover > a.self-link {
opacity: 1;
}
dfn > a.self-link:hover {
color: black;
}
a.self-link::before { content: "¶"; }
.heading > a.self-link::before { content: "§"; }
dfn > a.self-link::before { content: "#"; }</style>
<style>/* style-counters */
body {
counter-reset: example figure issue;
}
.issue {
counter-increment: issue;
}
.issue:not(.no-marker)::before {
content: "Issue " counter(issue);
}
.example {
counter-increment: example;
}
.example:not(.no-marker)::before {
content: "Example " counter(example);
}
.invalid.example:not(.no-marker)::before,
.illegal.example:not(.no-marker)::before {
content: "Invalid Example" counter(example);
}
figcaption {
counter-increment: figure;
}
figcaption:not(.no-marker)::before {
content: "Figure " counter(figure) " ";
}</style>
<style>/* style-autolinks */
.css.css, .property.property, .descriptor.descriptor {
color: #005a9c;
font-size: inherit;
font-family: inherit;
}
.css::before, .property::before, .descriptor::before {
content: "‘";
}
.css::after, .property::after, .descriptor::after {
content: "’";
}
.property, .descriptor {
/* Don't wrap property and descriptor names */
white-space: nowrap;
}
.type { /* CSS value <type> */
font-style: italic;
}
pre .property::before, pre .property::after {
content: "";
}
[data-link-type="property"]::before,
[data-link-type="propdesc"]::before,
[data-link-type="descriptor"]::before,
[data-link-type="value"]::before,
[data-link-type="function"]::before,
[data-link-type="at-rule"]::before,
[data-link-type="selector"]::before,
[data-link-type="maybe"]::before {
content: "‘";
}
[data-link-type="property"]::after,
[data-link-type="propdesc"]::after,
[data-link-type="descriptor"]::after,
[data-link-type="value"]::after,
[data-link-type="function"]::after,
[data-link-type="at-rule"]::after,
[data-link-type="selector"]::after,
[data-link-type="maybe"]::after {
content: "’";
}
[data-link-type].production::before,
[data-link-type].production::after,
.prod [data-link-type]::before,
.prod [data-link-type]::after {
content: "";
}
[data-link-type=element],
[data-link-type=element-attr] {
font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
font-size: .9em;
}
[data-link-type=element]::before { content: "<" }
[data-link-type=element]::after { content: ">" }
[data-link-type=biblio] {
white-space: pre;
}</style>
<style>/* style-dfn-panel */
.dfn-panel {
position: absolute;
z-index: 35;
height: auto;
width: -webkit-fit-content;
width: fit-content;
max-width: 300px;
max-height: 500px;
overflow: auto;
padding: 0.5em 0.75em;
font: small Helvetica Neue, sans-serif, Droid Sans Fallback;
background: #DDDDDD;
color: black;
border: outset 0.2em;
}
.dfn-panel:not(.on) { display: none; }
.dfn-panel * { margin: 0; padding: 0; text-indent: 0; }
.dfn-panel > b { display: block; }
.dfn-panel a { color: black; }
.dfn-panel a:not(:hover) { text-decoration: none !important; border-bottom: none !important; }
.dfn-panel > b + b { margin-top: 0.25em; }
.dfn-panel ul { padding: 0; }
.dfn-panel li { list-style: inside; }
.dfn-panel.activated {
display: inline-block;
position: fixed;
left: .5em;
bottom: 2em;
margin: 0 auto;
max-width: calc(100vw - 1.5em - .4em - .5em);
max-height: 30vh;
}
.dfn-paneled { cursor: pointer; }
</style>
<style>/* style-syntax-highlighting */
pre.idl.highlight { color: #708090; }
.highlight:not(.idl) { background: hsl(24, 20%, 95%); }
code.highlight { padding: .1em; border-radius: .3em; }
pre.highlight, pre > code.highlight { display: block; padding: 1em; margin: .5em 0; overflow: auto; border-radius: 0; }
.highlight .c { color: #708090 } /* Comment */
.highlight .k { color: #990055 } /* Keyword */
.highlight .l { color: #000000 } /* Literal */
.highlight .n { color: #0077aa } /* Name */
.highlight .o { color: #999999 } /* Operator */
.highlight .p { color: #999999 } /* Punctuation */
.highlight .cm { color: #708090 } /* Comment.Multiline */
.highlight .cp { color: #708090 } /* Comment.Preproc */
.highlight .c1 { color: #708090 } /* Comment.Single */
.highlight .cs { color: #708090 } /* Comment.Special */
.highlight .kc { color: #990055 } /* Keyword.Constant */
.highlight .kd { color: #990055 } /* Keyword.Declaration */
.highlight .kn { color: #990055 } /* Keyword.Namespace */
.highlight .kp { color: #990055 } /* Keyword.Pseudo */
.highlight .kr { color: #990055 } /* Keyword.Reserved */
.highlight .kt { color: #990055 } /* Keyword.Type */
.highlight .ld { color: #000000 } /* Literal.Date */
.highlight .m { color: #000000 } /* Literal.Number */
.highlight .s { color: #a67f59 } /* Literal.String */
.highlight .na { color: #0077aa } /* Name.Attribute */
.highlight .nc { color: #0077aa } /* Name.Class */
.highlight .no { color: #0077aa } /* Name.Constant */
.highlight .nd { color: #0077aa } /* Name.Decorator */
.highlight .ni { color: #0077aa } /* Name.Entity */
.highlight .ne { color: #0077aa } /* Name.Exception */
.highlight .nf { color: #0077aa } /* Name.Function */
.highlight .nl { color: #0077aa } /* Name.Label */
.highlight .nn { color: #0077aa } /* Name.Namespace */
.highlight .py { color: #0077aa } /* Name.Property */
.highlight .nt { color: #669900 } /* Name.Tag */
.highlight .nv { color: #222222 } /* Name.Variable */
.highlight .ow { color: #999999 } /* Operator.Word */
.highlight .mb { color: #000000 } /* Literal.Number.Bin */
.highlight .mf { color: #000000 } /* Literal.Number.Float */
.highlight .mh { color: #000000 } /* Literal.Number.Hex */
.highlight .mi { color: #000000 } /* Literal.Number.Integer */
.highlight .mo { color: #000000 } /* Literal.Number.Oct */
.highlight .sb { color: #a67f59 } /* Literal.String.Backtick */
.highlight .sc { color: #a67f59 } /* Literal.String.Char */
.highlight .sd { color: #a67f59 } /* Literal.String.Doc */
.highlight .s2 { color: #a67f59 } /* Literal.String.Double */
.highlight .se { color: #a67f59 } /* Literal.String.Escape */
.highlight .sh { color: #a67f59 } /* Literal.String.Heredoc */
.highlight .si { color: #a67f59 } /* Literal.String.Interpol */
.highlight .sx { color: #a67f59 } /* Literal.String.Other */
.highlight .sr { color: #a67f59 } /* Literal.String.Regex */
.highlight .s1 { color: #a67f59 } /* Literal.String.Single */
.highlight .ss { color: #a67f59 } /* Literal.String.Symbol */
.highlight .vc { color: #0077aa } /* Name.Variable.Class */
.highlight .vg { color: #0077aa } /* Name.Variable.Global */
.highlight .vi { color: #0077aa } /* Name.Variable.Instance */
.highlight .il { color: #000000 } /* Literal.Number.Integer.Long */
</style>
<body class="h-entry">
<div class="head">
<p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
<h1>Secure Contexts</h1>
<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">W3C Candidate Recommendation, <time class="dt-updated" datetime="2016-09-15">15 September 2016</time></span></h2>
<div data-fill-with="spec-metadata">
<dl>
<dt>This version:
<dd><a class="u-url" href="https://www.w3.org/TR/2016/CR-secure-contexts-20160915/">https://www.w3.org/TR/2016/CR-secure-contexts-20160915/</a>
<dt>Latest published version:
<dd><a href="https://www.w3.org/TR/secure-contexts/">https://www.w3.org/TR/secure-contexts/</a>
<dt>Editor's Draft:
<dd><a href="https://w3c.github.io/webappsec-secure-contexts/">https://w3c.github.io/webappsec-secure-contexts/</a>
<dt>Previous Versions:
<dd><a href="https://www.w3.org/TR/2016/WD-secure-contexts-20160719/" rel="previous">https://www.w3.org/TR/2016/WD-secure-contexts-20160719/</a>
<dt>Version History:
<dd><a href="https://github.com/w3c/webappsec-secure-contexts/commits/master/index.src.html">https://github.com/w3c/webappsec-secure-contexts/commits/master/index.src.html</a>
<dt>Feedback:
<dd><span><a href="mailto:[email protected]?subject=%5Bsecure-contexts%5D%20YOUR%20TOPIC%20HERE">[email protected]</a> with subject line “<kbd>[secure-contexts] <i data-lt="">… message topic …</i></kbd>” (<a href="https://lists.w3.org/Archives/Public/public-webappsec/" rel="discussion">archives</a>)</span>
<dt class="editor">Editor:
<dd class="editor p-author h-card vcard" data-editor-id="56384"><a class="p-name fn u-email email" href="mailto:[email protected]">Mike West</a> (<span class="p-org org">Google Inc.</span>)
<dt class="editor">Former Editor:
<dd class="editor p-author h-card vcard"><span class="p-name fn">Yan Zhu</span> (<span class="p-org org">Brave</span>)
<dt>Participate:
<dd><span><a href="https://github.com/w3c/webappsec-secure-contexts/issues/new">File an issue</a> (<a href="https://github.com/w3c/webappsec-secure-contexts/issues">open issues</a>)</span>
</dl>
</div>
<div data-fill-with="warning"></div>
<p class="copyright" data-fill-with="copyright"><a href="https://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2016 <a href="https://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="https://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="https://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="https://www.keio.ac.jp/">Keio</a>, <a href="http://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="https://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="https://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="https://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply. </p>
<hr title="Separator for header">
</div>
<h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>
<div class="p-summary" data-fill-with="abstract">
<p>This specification defines "secure contexts", thereby allowing user agent
implementers and specification authors to enable certain features only when
certain minimum standards of authentication and confidentiality are met.</p>
</div>
<h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>
<div data-fill-with="status">
<p> <em>This section describes the status of this document at the time of
its publication. Other documents may supersede this document. A list of
current W3C publications and the latest revision of this technical report
can be found in the <a href="https://www.w3.org/TR/">W3C technical reports
index at https://www.w3.org/TR/.</a></em> </p>
<p> This document was published by the <a href="https://www.w3.org/2011/webappsec/">Web Application Security Working Group</a> as a Candidate Recommendation. This document is intended to become a W3C Recommendation.
This document will remain a Candidate Recommendation at least until <time class="status-deadline" datetime="2016-10-20">20 October 2016</time> in order
to ensure the opportunity for wide review. </p>
<p> The (<a href="https://lists.w3.org/Archives/Public/public-webappsec/">archived</a>) public mailing list <a href="mailto:[email protected]?Subject=%5Bsecure-contexts%5D%20PUT%20SUBJECT%20HERE">[email protected]</a> (see <a href="https://www.w3.org/Mail/Request">instructions</a>)
is preferred for discussion of this specification.
When sending e-mail,
please put the text “secure-contexts” in the subject,
preferably like this:
“[secure-contexts] <em>…summary of comment…</em>” </p>
<p> Publication as a Candidate Recommendation does not imply endorsement by the W3C
Membership. This is a draft document and may be updated, replaced or
obsoleted by other documents at any time. It is inappropriate to cite this
document as other than work in progress. </p>
<p> The entrance criteria for this document to enter the Proposed Recommendation stage
is to have a minimum of two independent and interoperable user agents that
implement all the features of this specification, which will be determined by
passing the user agent tests defined in the test suite developed by the Working
Group. The Working Group will prepare an implementation report to track progress. </p>
<p> This document was produced by a group operating under
the <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>.
W3C maintains a <a href="https://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group;
that page also includes instructions for disclosing a patent.
An individual who has actual knowledge of a patent which the individual believes contains <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the W3C Patent Policy</a>. </p>
<p> This document is governed by the <a href="https://www.w3.org/2015/Process-20150901/" id="w3c_process_revision">1 September 2015 W3C Process Document</a>. </p>
<p></p>
</div>
<div data-fill-with="at-risk">
<p>The following features are at-risk, and may be dropped during the CR period: </p>
<ul>
<li>The <a data-link-type="dfn" href="#sandboxed-secure-browsing-context-flag">sandboxed secure browsing context flag</a> defined in <a href="#monkey-patching-sandbox-flags">§2.2.1 Sandboxing</a>, as well as its usage in <a href="#settings-object">§3.1 Is the environment settings object settings a secure context?</a>. [<a href="#issue-255ee4a4">Issue 2</a>]
<li>The <code>localhost</code> carveout, discussed in <a href="#localhost">§5.2 localhost</a>. [<a href="#issue-8ea95bab">Issue 6</a>]
<li>The <code>opener</code> restriction on popups. [<a href="#issue-6a3aa5cd">Issue 7</a>]
</ul>
<p>“At-risk” is a W3C Process term-of-art, and does not necessarily imply that the feature is in danger of being dropped or delayed. It means that the WG believes the feature may have difficulty being interoperably implemented in a timely manner, and marking it as such allows the WG to drop the feature if necessary when transitioning to the Proposed Rec stage, without having to publish a new Candidate Rec without the feature first.</p>
</div>
<nav data-fill-with="table-of-contents" id="toc">
<h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
<ol class="toc" role="directory">
<li>
<a href="#intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
<ol class="toc">
<li><a href="#examples-top-level"><span class="secno">1.1</span> <span class="content">Top-level Documents</span></a>
<li><a href="#examples-framed"><span class="secno">1.2</span> <span class="content">Framed Documents</span></a>
<li><a href="#examples-workers"><span class="secno">1.3</span> <span class="content">Web Workers</span></a>
<li><a href="#examples-shared-workers"><span class="secno">1.4</span> <span class="content">Shared Workers</span></a>
<li><a href="#examples-service-workers"><span class="secno">1.5</span> <span class="content">Service Workers</span></a>
</ol>
<li>
<a href="#framework"><span class="secno">2</span> <span class="content">Framework</span></a>
<ol class="toc">
<li><a href="#integration-idl"><span class="secno">2.1</span> <span class="content">Intergration with WebIDL</span></a>
<li>
<a href="#monkey-patching-html"><span class="secno">2.2</span> <span class="content">Modifications to HTML</span></a>
<ol class="toc">
<li><a href="#monkey-patching-sandbox-flags"><span class="secno">2.2.1</span> <span class="content">Sandboxing</span></a>
<li><a href="#monkey-patching-shared-workers"><span class="secno">2.2.2</span> <span class="content">Shared Workers</span></a>
<li><a href="#monkey-patching-global-object"><span class="secno">2.2.3</span> <span class="content">Feature Detection</span></a>
</ol>
</ol>
<li>
<a href="#algorithms"><span class="secno">3</span> <span class="content">Algorithms</span></a>
<ol class="toc">
<li><a href="#settings-object"><span class="secno">3.1</span> <span class="content"> Is the environment settings object <var>settings</var> a secure context? </span></a>
<li><a href="#is-origin-trustworthy"><span class="secno">3.2</span> <span class="content"> Is <var>origin</var> potentially trustworthy? </span></a>
<li><a href="#is-url-trustworthy"><span class="secno">3.3</span> <span class="content"> Is <var>url</var> potentially trustworthy? </span></a>
</ol>
<li>
<a href="#threat-models-risks"><span class="secno">4</span> <span class="content"> Threat models and risks </span></a>
<ol class="toc">
<li>
<a href="#threat-models"><span class="secno">4.1</span> <span class="content">Threat Models</span></a>
<ol class="toc">
<li><a href="#threat-passive"><span class="secno">4.1.1</span> <span class="content">Passive Network Attacker</span></a>
<li><a href="#threat-active"><span class="secno">4.1.2</span> <span class="content">Active Network Attacker</span></a>
</ol>
<li><a href="#ancestors"><span class="secno">4.2</span> <span class="content">Ancestral Risk</span></a>
<li><a href="#threat-risks"><span class="secno">4.3</span> <span class="content">Risks associated with non-secure contexts</span></a>
</ol>
<li>
<a href="#security-considerations"><span class="secno">5</span> <span class="content">Security Considerations</span></a>
<ol class="toc">
<li><a href="#isolation"><span class="secno">5.1</span> <span class="content">Incomplete Isolation</span></a>
<li><a href="#localhost"><span class="secno">5.2</span> <span class="content"><code>localhost</code></span></a>
</ol>
<li><a href="#privacy-considerations"><span class="secno">6</span> <span class="content">Privacy Considerations</span></a>
<li>
<a href="#implementation-considerations"><span class="secno">7</span> <span class="content">Implementation Considerations</span></a>
<ol class="toc">
<li><a href="#packaged-applications"><span class="secno">7.1</span> <span class="content">Packaged Applications</span></a>
<li><a href="#development-environments"><span class="secno">7.2</span> <span class="content">Development Environments</span></a>
<li><a href="#new"><span class="secno">7.3</span> <span class="content">Restricting New Features</span></a>
<li>
<a href="#legacy"><span class="secno">7.4</span> <span class="content">Restricting Legacy Features</span></a>
<ol class="toc">
<li><a href="#legacy-example"><span class="secno">7.4.1</span> <span class="content">Example: Geolocation</span></a>
</ol>
</ol>
<li><a href="#acknowledgements"><span class="secno">8</span> <span class="content">Acknowledgements</span></a>
<li>
<a href="#conformance"><span class="secno"></span> <span class="content">Conformance</span></a>
<ol class="toc">
<li><a href="#conventions"><span class="secno"></span> <span class="content">Document conventions</span></a>
<li><a href="#conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a>
</ol>
<li>
<a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
<ol class="toc">
<li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
<li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
</ol>
<li>
<a href="#references"><span class="secno"></span> <span class="content">References</span></a>
<ol class="toc">
<li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
<li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
</ol>
<li><a href="#idl-index"><span class="secno"></span> <span class="content">IDL Index</span></a>
<li><a href="#issues-index"><span class="secno"></span> <span class="content">Issues Index</span></a>
</ol>
</nav>
<main>
<section>
<h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>
<p><em>This section is not normative.</em></p>
<p>As the web platform is extended to enable more useful and powerful
applications, it becomes increasingly important to ensure that the features
which enable those applications are enabled only in contexts which meet a minimum
security level. As an extension of the TAG’s recommendations in <a data-link-type="biblio" href="#biblio-securing-web">[SECURING-WEB]</a>,
this document describes threat models for feature abuse on the web (see <a href="#threat-models">§4.1 Threat Models</a>) and outlines normative requirements which should be
incorporated into documents specifying new features (see <a href="#implementation-considerations">§7 Implementation Considerations</a>).</p>
<p>The most obvious of the requirements discussed here is that application code
with access to sensitive or private data be delivered confidentially over
authenticated channels that guarantee data integrity. Delivering code securely
cannot ensure that an application will always meet a user’s security and
privacy requirements, but it is a necessary precondition.</p>
<p>Less obviously, application code delivered over an authenticated and confidential
channel isn’t enough in and of itself to limit the use of powerful features by
non-secure contexts. As <a href="#ancestors">§4.2 Ancestral Risk</a> explains, cooperative frames can be
abused to bypass otherwise solid restrictions on a feature. The algorithms
defined below ensure that these bypasses are difficult and user-visible.</p>
<p>The following examples summarize the normative text which follows:</p>
<h3 class="heading settled" data-level="1.1" id="examples-top-level"><span class="secno">1.1. </span><span class="content">Top-level Documents</span><a class="self-link" href="#examples-top-level"></a></h3>
<p>Top-level documents are secure as long as they don’t have a non-secure <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#opener-browsing-context">opener browsing context</a>. This is a bit convoluted, so let’s go straight
to the examples:</p>
<div class="example" id="example-c3b67557">
<a class="self-link" href="#example-c3b67557"></a>
<p><code>http://example.com/</code> opened in a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing
context</a> is not a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-1">secure context</a>, as it was not delivered over
an authenticated and encrypted channel.</p>
<svg height="200" width="400">
<g transform="translate(10,10)">
<rect class="non-secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://example.com/</text>
</g>
</svg>
</div>
<div class="example" id="example-f9c0bcaa">
<a class="self-link" href="#example-f9c0bcaa"></a>
<p><code>https://example.com/</code> opened in a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing
context</a> is a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-2">secure context</a>, as it was delivered over
an authenticated and encrypted channel.</p>
<svg height="200" width="400">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
</g>
</svg>
</div>
<div class="example" id="example-601f9a50">
<a class="self-link" href="#example-601f9a50"></a>
<p>
If a secure context opens <code>https://example.com/</code> in a new
window, that new window will be a secure context, as it is both secure on
its own merits, and was opened from a secure context:
<svg height="400" width="400">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://secure.example.com/</text>
</g>
<g transform="translate(10,210)">
<rect class="secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://another.example.com/</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 150 287"></path>
</g>
</svg>
</p>
</div>
<div class="example" id="example-540bc97b">
<a class="self-link" href="#example-540bc97b"></a>
<p>If a non-secure context opens <code>https://example.com/</code> in a new
window, then things are more complicated. The new window’s status depends on
how it was opened. If the non-secure context can obtain a reference to the
secure context, or vice-versa, then the new window is not a secure context. </p>
<p>This means that the following will both produce non-secure contexts:</p>
<pre><a href="https://example.com/" target="_blank">Link!</a>
<script>
var w = window.open("https://example.com/");
</script>
</pre>
<svg height="400" width="400">
<g transform="translate(10,10)">
<rect class="non-secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
</g>
<g transform="translate(10,210)">
<rect class="non-secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://another.example.com/</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 150 287"></path>
</g>
</svg>
<p>The link can be broken via the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/semantics.html#link-type-noopener"><code>noopener</code></a> link relation, meaning
that the following will both produce secure contexts:</p>
<pre><a href="https://example.com/" rel="<a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/semantics.html#link-type-noopener">noopener</a>" target="_blank">Link!</a>
<script>
var w = window.open("https://example.com/", "", "<a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/semantics.html#link-type-noopener">noopener</a>");
</script>
</pre>
<svg height="400" width="400">
<g transform="translate(10,10)">
<rect class="non-secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
</g>
<g transform="translate(10,210)">
<rect class="secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://another.example.com/</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 150 287"></path>
</g>
</svg>
<p class="issue" id="issue-ca3d623e"><a class="self-link" href="#issue-ca3d623e"></a> W3C’s HTML has only an <i>extremely</i> partial port of
the <code>noopener</code> concept. <a href="https://github.com/w3c/html/issues/523"><https://github.com/w3c/html/issues/523></a></p>
</div>
<h3 class="heading settled" data-level="1.2" id="examples-framed"><span class="secno">1.2. </span><span class="content">Framed Documents</span><a class="self-link" href="#examples-framed"></a></h3>
<p>Framed documents can be <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-3">secure contexts</a> if they are delivered from <a data-link-type="dfn" href="#potentially-trustworthy-origin" id="ref-for-potentially-trustworthy-origin-1">potentially trustworthy origins</a>, <em>and</em> if they’re embedded
in a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-4">secure context</a>. That is:</p>
<div class="example" id="example-9e620851">
<a class="self-link" href="#example-9e620851"></a> If <code>https://example.com/</code> opened in a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing
context</a> opens <code>https://sub.example.com/</code> in a frame, then
both are <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-5">secure contexts</a>, as both were delivered over
authenticated and encrypted channels.
<p></p>
<svg height="200" width="400">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(20, 50)">
<rect class="secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://sub.example.com/</text>
</g>
</g>
</svg>
</div>
<div class="example" id="example-90fe8723">
<a class="self-link" href="#example-90fe8723"></a>
<p>If <code>https://example.com/</code> was somehow able to frame <code>http://non-secure.example.com/</code> (perhaps the user has
overridden mixed content checking?), the top-level frame would remain
secure, but the framed content is not a secure context.</p>
<svg height="200" width="400">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(20, 50)">
<rect class="non-secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
</g>
</g>
</svg>
</div>
<div class="example" id="example-c52936fc">
<a class="self-link" href="#example-c52936fc"></a>
<p>If, on the other hand, <code>https://example.com/</code> is framed
inside of <code>http://non-secure.example.com/</code>, then it is <em>not</em> a secure context, as its ancestor is not delivered over an
authenticated and encrypted channel.</p>
<svg height="200" width="400">
<g transform="translate(10,10)">
<rect class="non-secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
<g transform="translate(20, 50)">
<rect class="non-secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
</g>
</g>
</svg>
</div>
<h3 class="heading settled" data-level="1.3" id="examples-workers"><span class="secno">1.3. </span><span class="content">Web Workers</span><a class="self-link" href="#examples-workers"></a></h3>
<p>Dedicated Workers are similar in nature to framed documents. They’re <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-6">secure contexts</a> when they’re delivered from <a data-link-type="dfn" href="#potentially-trustworthy-origin" id="ref-for-potentially-trustworthy-origin-2">potentially
trustworthy origins</a>, only if their owner is itself a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-7">secure
context</a>:</p>
<div class="example" id="example-512dd4fd">
<a class="self-link" href="#example-512dd4fd"></a>
<p>If <code>https://example.com/</code> in a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing
context</a> runs <code>https://example.com/worker.js</code>, then
both the document and the worker are <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-8">secure contexts</a>.</p>
<svg height="200" width="600">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(400, 110)">
<circle class="secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
</svg>
</div>
<div class="example" id="example-453513c5">
<a class="self-link" href="#example-453513c5"></a>
<p>If <code>http://non-secure.example.com/</code> in a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing
context</a> frames <code>https://example.com/</code>, which runs <code>https://example.com/worker.js</code>, then neither the framed document
nor the worker are <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-9">secure contexts</a>.</p>
<svg height="200" width="600">
<g transform="translate(10,10)">
<rect class="non-secure" height="175" width="297" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
<g transform="translate(20, 50)">
<rect class="non-secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
</g>
<g transform="translate(400, 110)">
<circle class="non-secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
</svg>
</div>
<h3 class="heading settled" data-level="1.4" id="examples-shared-workers"><span class="secno">1.4. </span><span class="content">Shared Workers</span><a class="self-link" href="#examples-shared-workers"></a></h3>
<p>Multiple contexts may attach to a Shared Worker. If a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-10">secure context</a> creates a Shared Worker, then it is a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-11">secure context</a>, and may only be
attached to by other <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-12">secure contexts</a>. If a non-secure context creates
a Shared Worker, then it is <em>not</em> a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-13">secure context</a>, and may only
be attached to by other non-secure contexts.</p>
<div class="example" id="example-7e3c52b5">
<a class="self-link" href="#example-7e3c52b5"></a>
<p>If <code>https://example.com/</code> in a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing
context</a> runs <code>https://example.com/worker.js</code> as a Shared
Worker, then both the document and the worker are considered secure
contexts.</p>
<svg height="200" width="600">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(400, 110)">
<circle class="secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
</svg>
</div>
<div class="example" id="example-f3aef4f7">
<a class="self-link" href="#example-f3aef4f7"></a>
<p><code>https://example.com/</code> in a different <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level
browsing context</a> (e.g. in a new window) is a secure context, so it may
access the secure shared worker:</p>
<svg height="400" width="600">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(400, 110)">
<circle class="secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
<g transform="translate(10,200)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 -80"></path>
</g>
</g>
</svg>
</div>
<div class="example" id="example-2829bc67">
<a class="self-link" href="#example-2829bc67"></a>
<p><code>https://example.com/</code> nested in <code>http://non-secure.example.com/</code> may not connect to the secure
worker, as it is not a secure context.</p>
<svg height="400" width="600">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(400, 110)">
<circle class="secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
<g transform="translate(10,200)">
<rect class="non-secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
<g transform="translate(20, 50)">
<rect class="non-secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 20"></path>
<text class="rejection" transform="translate(405, 20)">X</text>
</g>
</g>
</svg>
</div>
<div class="example" id="example-a7414e08">
<a class="self-link" href="#example-a7414e08"></a>
<p>Likewise, if <code>https://example.com/</code> nested in <code>http://non-secure.example.com/</code> runs <code>https://example.com/worker.js</code> as a Shared
Worker, then both the document and the worker are considered non-secure.</p>
<svg height="400" width="600">
<g transform="translate(10,10)">
<rect class="non-secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">http://non-secure.example.com/</text>
<g transform="translate(20, 50)">
<rect class="non-secure" height="105" width="250" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
</g>
<g transform="translate(400, 110)">
<circle class="non-secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/worker.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
<g transform="translate(10,200)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 20"></path>
<text class="rejection" transform="translate(405, 20)">X</text>
</g>
</g>
</svg>
</div>
<h3 class="heading settled" data-level="1.5" id="examples-service-workers"><span class="secno">1.5. </span><span class="content">Service Workers</span><a class="self-link" href="#examples-service-workers"></a></h3>
<p>Service Workers are always <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-14">secure contexts</a>. Only <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-15">secure contexts</a> may register them, and they may only have clients which are <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-16">secure
contexts</a>.</p>
<div class="example" id="example-58019791">
<a class="self-link" href="#example-58019791"></a>
<p>If <code>https://example.com/</code> in a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing
context</a> registers <code>https://example.com/service.js</code>,
then both the document and the Service Worker are considered secure
contexts.</p>
<svg height="200" width="600">
<g transform="translate(10,10)">
<rect class="secure" height="175" width="300" x="0" y="0"></rect>
<text transform="translate(10, 20)">https://example.com/</text>
<g transform="translate(400, 110)">
<circle class="secure" r="50"></circle>
<text transform="translate(-75, -55)">https://example.com/service.js</text>
</g>
<g>
<path d="M150, 87 C 200 75, 350 75, 405 110"></path>
</g>
</g>
</svg>
</div>
</section>
<section>
<h2 class="heading settled" data-level="2" id="framework"><span class="secno">2. </span><span class="content">Framework</span><a class="self-link" href="#framework"></a></h2>
<p>An <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#environment-settings-object">environment settings object</a> is considered a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="secure context" id="secure-context">secure
context</dfn> if the algorithm in <a href="#settings-object">§3.1 Is the environment settings object settings a secure context?</a> returns "<code>Secure</code>", and a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="non-secure-context">non-secure context</dfn> otherwise.</p>
<p>Likewise, a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#global-object">global object</a> is considered a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-17">secure context</a> if its <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#relevant-settings-object">relevant settings object</a> is a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-18">secure context</a>.</p>
<section class="non-normative">
<h3 class="heading settled" data-level="2.1" id="integration-idl"><span class="secno">2.1. </span><span class="content">Intergration with WebIDL</span><a class="self-link" href="#integration-idl"></a></h3>
<p><em>This section is non-normative.</em></p>
<p>A new <a data-link-type="dfn" href="https://heycam.github.io/webidl/#SecureContext"><code>[SecureContext]</code></a> attribute is available for operators, which
ensures that they will only be <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-exposed">exposed</a> into secure contexts. The
following example should help:</p>
<div class="example" id="example-81580eb2">
<a class="self-link" href="#example-81580eb2"></a>
<pre class="idl highlight def"><span class="kt">interface</span> <span class="nv">ExampleFeature</span> {
// This call will succeed in all contexts.
<span class="kt">Promise</span> <<span class="kt">double</span>> <span class="nv">calculateNotSoSecretResult</span>();
// This operation will not be exposed to a non-secure context.
<a data-link-type="dfn" href="https://heycam.github.io/webidl/#SecureContext">[<span class="nv">SecureContext</span>]</a> <span class="kt">Promise</span><<span class="kt">double</span>> <span class="nv">calculateSecretResult</span>();
// The same applies here: the operation will not be exposed to a non-secure context.
<a data-link-type="dfn" href="https://heycam.github.io/webidl/#SecureContext">[<span class="nv">SecureContext</span>]</a> <span class="kt">boolean</span> <span class="nv">getSecretBoolean</span>();
};
[<span class="nv">SecureContext</span>]
<span class="kt">interface</span> <span class="nv">SecureFeature</span> {
// This interface will not be exposed to non-secure contexts.
<span class="kt">Promise</span><<span class="kt">any</span>> <span class="nv">doAmazingThing</span>();
};
</pre>
</div>
<p>Specification authors are encouraged to use this attribute when defining new
features.</p>
<h3 class="heading settled" data-level="2.2" id="monkey-patching-html"><span class="secno">2.2. </span><span class="content">Modifications to HTML</span><a class="self-link" href="#monkey-patching-html"></a></h3>
<h4 class="heading settled" data-level="2.2.1" id="monkey-patching-sandbox-flags"><span class="secno">2.2.1. </span><span class="content">Sandboxing</span><a class="self-link" href="#monkey-patching-sandbox-flags"></a></h4>
<p>Developers may wish to treat sandboxed <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#browsing-context">browsing contexts</a> as <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-19">secure
contexts</a> in some situations, and <a data-link-type="dfn" href="#non-secure-context" id="ref-for-non-secure-context-1">non-secure contexts</a> in others. The
following sandboxing flag supports this desire:</p>
<dl>
<dt>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="sandboxed-secure-browsing-context-flag">sandboxed secure browsing context flag</dfn>
<dd> This flag asserts that content in a browsing context will be treated as a <a data-link-type="dfn" href="#non-secure-context" id="ref-for-non-secure-context-2">non-secure context</a>, even if it would otherwise be considered secure.
</dl>
<p>The <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#parse-the-sandboxing-directive">parse the sandboxing directive</a> algorithm is extended by adding the
following entry to the list in the final step of the algorithm which parses <var>tokens</var> into flags:</p>
<ul>
<li data-md="">
<p>The <a data-link-type="dfn" href="#sandboxed-secure-browsing-context-flag" id="ref-for-sandboxed-secure-browsing-context-flag-1">sandboxed secure browsing context flag</a>, unless <var>tokens</var> contains the <dfn data-dfn-for="iframe/sandbox" data-dfn-type="attr-value" data-export="" id="attr-valuedef-iframe-sandbox-allow-secure-context"><code>allow-secure-context</code><a class="self-link" href="#attr-valuedef-iframe-sandbox-allow-secure-context"></a></dfn> keyword.</p>
</ul>
<p class="issue" id="issue-255ee4a4"><a class="self-link" href="#issue-255ee4a4"></a> This feature is "at risk", pending the
resolution of the linked issue (which itself is pending metrics gathered from
browser vendors). Accordingly, no attempt has been made to upstream this to
either WHATWG’s HTML or W3C’s HTML. Once we’ve decided whether or not to keep
the feature, we’ll work on that. <a href="https://github.com/w3c/webappsec-secure-contexts/issues/28"><https://github.com/w3c/webappsec-secure-contexts/issues/28></a></p>
<h4 class="non-normative heading settled" data-level="2.2.2" id="monkey-patching-shared-workers"><span class="secno">2.2.2. </span><span class="content">Shared Workers</span><a class="self-link" href="#monkey-patching-shared-workers"></a></h4>
<p><em>This section is non-normative</em>.</p>
<p>The <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/workers/#dom-sharedworker">SharedWorker()</a></code> constructor will throw a <code>SecurityError</code> exception if
a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-20">secure context</a> attempts to attach to an Worker which is not a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-21">secure context</a>, and if a non-secure context attempts to attach to a
Worker which is a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-22">secure context</a>.</p>
<p>The constructor is modified as follows (though the SharedWorker specification
remains the normative reference):</p>
<ol>
<li data-md="">
<p>As the first substep of the <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/workers/#dom-sharedworker">SharedWorker()</a></code> constructor’s current step
6.7 ("If <var>worker global scope</var> is not <code>null</code>, then run these
steps:"), run the following step:</p>
<ol>
<li data-md="">
<p>If the result of executing <a href="#settings-object">§3.1 Is the environment settings object settings a secure context?</a> on the <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#current-settings-object">current
settings object</a> does not match the result of executing the same
algorithm on <var>worker global scope</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#relevant-settings-object">relevant settings
object</a>, then throw a <code>SecurityError</code> exception, and abort
these steps.</p>
</ol>
</ol>
<p class="note" role="note">Note: This change landed in WHATWG’s HTML in <a href="https://github.com/whatwg/html/pull/1560">whatwg/html#1560</a>.</p>
<p class="issue" id="issue-9d36a596"><a class="self-link" href="#issue-9d36a596"></a> It’s not clear to me how the W3C’s <a data-link-type="biblio" href="#biblio-webworkers">[WEBWORKERS]</a> document is updated.
It looks like it’s pulling content from the WHATWG upstream, which means
that the PR linked above should flow into it? But that document hasn’t been
updated since 2015, so...</p>
</section>
<h4 class="heading settled" data-level="2.2.3" id="monkey-patching-global-object"><span class="secno">2.2.3. </span><span class="content">Feature Detection</span><a class="self-link" href="#monkey-patching-global-object"></a></h4>
<p>To determine whether a context is capable of making use of features which
require <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-23">secure contexts</a>, a simple boolean attribute is added to the
global object:</p>
<pre class="idl highlight def"><span class="kt">partial</span> <span class="kt">interface</span> <a class="nv idl-code" data-link-type="interface" href="https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope">WindowOrWorkerGlobalScope</a> {
<span class="kt">readonly</span> <span class="kt">attribute</span> <span class="kt">boolean</span> <dfn class="nv dfn-paneled idl-code" data-dfn-for="WindowOrWorkerGlobalScope" data-dfn-type="attribute" data-export="" data-readonly="" data-type="boolean" id="dom-windoworworkerglobalscope-issecurecontext">isSecureContext</dfn>;
};
</pre>
<div class="issue" id="issue-b7ebde19">
<a class="self-link" href="#issue-b7ebde19"></a> <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope">WindowOrWorkerGlobalScope</a></code> does not appear to be defined in W3C’s
HTML. For the purposes of that specification, the IDL above could be
interpreted as:
<pre>interface GlobalSecureContext {
readonly attribute boolean isSecureContext;
};
Window implements GlobalSecureContext;
WorkerGlobalScope implements GlobalSecureContext;
</pre>
<p>Filed as <a href="https://github.com/w3c/html/issues/522">w3c/html#522</a>.</p>
</div>
<p>The <code class="idl"><a data-link-type="idl" href="#dom-windoworworkerglobalscope-issecurecontext" id="ref-for-dom-windoworworkerglobalscope-issecurecontext-1">isSecureContext</a></code> attribute’s getter
returns <code>true</code> if <a href="#settings-object">§3.1 Is the environment settings object settings a secure context?</a> returns "<code>Secure</code>" when executed upon <code>this</code> <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#global-object">global object</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#relevant-settings-object">relevant settings object</a>, and <code>false</code> otherwise.</p>
</section>
<section>
<h2 class="heading settled" data-level="3" id="algorithms"><span class="secno">3. </span><span class="content">Algorithms</span><a class="self-link" href="#algorithms"></a></h2>
<h3 class="heading settled" data-level="3.1" id="settings-object"><span class="secno">3.1. </span><span class="content"> Is the environment settings object <var>settings</var> a secure context? </span><a class="self-link" href="#settings-object"></a></h3>
<p>Given an <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#environment-settings-object">environment settings object</a> (<var>settings</var>) this algorithm
returns "<code>Secure</code>" if the object represents a context which the user agent
obtained via a secure channel, and "<code>Not Secure</code>" otherwise.</p>
<ol>
<li data-md="">
<p>Let <var>global</var> be <var>settings</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#the-environment-settings-objects-global-object">global object</a>.</p>
<li data-md="">
<p>If <var>global</var> is a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/workers/#workerglobalscope">WorkerGlobalScope</a></code>, then:</p>
<ol>
<li data-md="">
<p>For each <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html51/dom.html#the-document-object">Document</a></code> (<var>document</var>) in <var>global</var>’s list of <a data-link-type="dfn" href="https://www.w3.org/TR/workers/#the-worker-s-documents">the
worker’s <code>Documents</code></a>:</p>
<ol>
<li data-md="">
<p class="assertion">Assert: Workers must be same-origin with the context that created
them, so <var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#relevant-settings-object">relevant settings object</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#environment-settings-object">origin</a> and <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#https-state">HTTPS
state</a> is the same as <var>global</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#relevant-settings-object">relevant settings
object</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#environment-settings-object">origin</a> and <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#https-state">HTTPS state</a>.</p>
<li data-md="">
<p>If <a href="#settings-object">§3.1 Is the environment settings object settings a secure context?</a> returns "<code>Not Secure</code>" when executed upon <var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#relevant-settings-object">relevant settings object</a>, return "<code>Not Secure</code>".</p>
</ol>
<li data-md="">
<p>Return "<code>Secure</code>".</p>
<p class="note" role="note">Note: Given the assertion above, if we’ve reached this step, the
worker must have been created from a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-24">secure context</a>, and
therefore must itself be a <a data-link-type="dfn" href="#secure-context" id="ref-for-secure-context-25">secure context</a>.</p>
</ol>
<li data-md="">
<p class="assertion">Assert: <var>global</var> is a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html51/browsers.html#the-window-object">Window</a></code>.</p>
<li data-md="">
<p>Let <var>document</var> be <var>settings</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#responsible-document">responsible document</a>.</p>
<li data-md="">
<p>Return "<code>Not Secure</code>" if any of the following are true:</p>
<ol>
<li data-md="">
<p><var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#active-sandboxing-flag-set">active sandboxing flag set</a> contains the <a data-link-type="dfn" href="#sandboxed-secure-browsing-context-flag" id="ref-for-sandboxed-secure-browsing-context-flag-2">sandboxed secure browsing context flag</a>.</p>
<p class="note" role="note">Note: This check is "at risk". See <a href="#monkey-patching-sandbox-flags">§2.2.1 Sandboxing</a> for details.</p>
<li data-md="">
<p><var>document</var> has an <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#creator-browsing-context">creator browsing context</a> (<var>context</var>), and <var>context</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#creator-context-security">creator context security</a> is "<code>Not Secure</code>".</p>
<p class="note" role="note">Note: Since we take account of <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#creator-browsing-context">creator browsing contexts</a>'
status, a popups' status depends on how it is opened, as discussed
in <a href="#examples-top-level">§1.1 Top-level Documents</a>.</p>
<p class="issue" id="issue-23cbeb97"><a class="self-link" href="#issue-23cbeb97"></a> The 'creator context security' concept landed in
WHATWG’s HTML in <a href="https://github.com/whatwg/html/pull/1561">whatwg/html#1561</a>,
but doesn’t yet exist in W3C’s HTML. <a href="https://github.com/w3c/html/issues/524"><https://github.com/w3c/html/issues/524></a></p>
<p class="issue" id="issue-8ea95bab"><a class="self-link" href="#issue-8ea95bab"></a> This exclusion is "at risk",
as implementation is lagging, and there’s some discussion as to
whether or not it can be softened while maintaining the mitigations
against direct communication channels. <a href="https://github.com/w3c/webappsec-secure-contexts/issues/42"><https://github.com/w3c/webappsec-secure-contexts/issues/42></a></p>
<li data-md="">
<p><var>settings</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#https-state">HTTPS state</a> is "<code>deprecated</code>".</p>
<li data-md="">
<p><var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#active-sandboxing-flag-set">active sandboxing flag set</a> includes the <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#sandboxed-into-a-unique-origin">sandboxed origin browsing context flag</a>, and <a href="#is-url-trustworthy">§3.3 Is url potentially trustworthy?</a> returns "<code>Not Trustworthy</code>" when executed upon <var>settings</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#creation-url">creation URL</a>.</p>
<p class="note" role="note">Note: We check the <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#creation-url">creation URL</a> here because sandboxed content
that is treated as being in an opaque origin (e.g. <code><iframe sandbox="allow-secure-context" src="http://127.0.0.1/"></code>)
would otherwise be treated as non-trustworthy by <a href="#is-origin-trustworthy">§3.2 Is origin potentially trustworthy?</a>. Since sandboxing is a strict reduction in
the content’s capabilities, and therefore in the risk it poses, we
look at the origin of its URL to determine whether we would have
considered it trustworthy had it not been sandboxed.</p>
<li data-md="">
<p><var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#active-sandboxing-flag-set">active sandboxing flag set</a> does not include the <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#sandboxed-into-a-unique-origin">sandboxed origin browsing context flag</a>, and <a href="#is-origin-trustworthy">§3.2 Is origin potentially trustworthy?</a> returns "<code>Not Trustworthy</code>" when executed
upon <var>settings</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#concept-cross-origin">origin</a>.</p>
</ol>
<li data-md="">
<p>Return "<code>Secure</code>".</p>
</ol>
<h3 class="heading settled" data-level="3.2" id="is-origin-trustworthy"><span class="secno">3.2. </span><span class="content"> Is <var>origin</var> potentially trustworthy? </span><a class="self-link" href="#is-origin-trustworthy"></a></h3>
<p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="potentially-trustworthy-origin">potentially trustworthy origin</dfn> is one which a user agent
can generally trust as delivering data securely.</p>
<p>This algorithms considers certain hosts, scheme, and origins as potentially
trustworthy, even though they might not be authenticated and encrypted in the
traditional sense. In particular, the user agent SHOULD treat <code>file</code> URLs
as potentially trustworthy. In principle the user agent could treat local
files as untrustworthy, but, <em>given the information that is available to
the user agent at runtime</em>, the resources appear to have been transported
securely from disk to the user agent. Additionally, treating such resources as
potentially trustworthy is convenient for developers building an application
before deploying it to the public.</p>
<p>This developer-friendlyness is not without risk, however. User agents which
prioritize security over such niceties MAY choose to more strictly assign
trust in a way which excludes <code>file</code>.</p>
<p>On the other hand, the user agent MAY choose to extend this trust to other,
vendor-specific URL schemes like <code>app:</code> or <code>chrome-extension:</code> which it can
determine <i lang="la">a priori</i> to be trusted (see <a href="#packaged-applications">§7.1 Packaged Applications</a> for detail).</p>
<p>Given an <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#concept-cross-origin">origin</a> (<var>origin</var>), the following algorithm
returns "<code>Potentially Trustworthy</code>" or "<code>Not Trustworthy</code>" as appropriate.</p>
<ol>
<li data-md="">
<p>If <var>origin</var> is an <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#opaque-origin">opaque origin</a>, return "<code>Not Trustworthy</code>".</p>
<li data-md="">
<p class="assertion">Assert: <var>origin</var> is a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#tuple-origin">tuple origin</a>.</p>
<li data-md="">
<p>If <var>origin</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#origin-scheme">scheme</a> is either "<code>https</code>" or "<code>wss</code>",
return "<code>Potentially Trustworthy</code>".</p>
<p class="note" role="note">Note: This is meant to be analog to the <a data-link-type="dfn" href="https://w3c.github.io/webappsec-mixed-content/#a-priori-authenticated-url"><i lang="la">a priori</i> authenticated URL</a> concept in <a data-link-type="biblio" href="#biblio-mix">[MIX]</a>.</p>
<li data-md="">
<p>If <var>origin</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#origin-host">host</a> component matches one of the CIDR
notations <code>127.0.0.0/8</code> or <code>::1/128</code> <a data-link-type="biblio" href="#biblio-rfc4632">[RFC4632]</a>, return "<code>Potentially Trustworthy</code>".</p>
<li data-md="">