From 4e14df58c1148bcb448992d4b579a50f4f881051 Mon Sep 17 00:00:00 2001
From: Mike West The following features are at-risk, and may be dropped during the CR period: “At-risk” is a W3C Process term-of-art, and does not necessarily imply that the feature is in danger of being dropped or delayed. It means that the WG believes the feature may have difficulty being interoperably implemented in a timely manner, and marking it as such allows the WG to drop the feature if necessary when transitioning to the Proposed Rec stage, without having to publish a new Candidate Rec without the feature first. An environment settings object is considered a secure
- context if the algorithm in §3.1 Is settings object a secure context? returns "
-
Table of Contents
2. Framework
Secure
", and a non-secure context otherwise.Secure
", and a non-secure context otherwise.
Likewise, a global object is considered a secure context if its relevant settings object is a secure context.
If the result of executing §3.1 Is settings object a secure context? on the current
+ If the result of executing §3.1 Is the environment settings object settings a secure context? on the current
settings object does not match the result of executing the same
algorithm on worker global scope’s relevant settings
object, then throw a SecurityError
exception, and abort
@@ -2006,12 +2018,12 @@ secure contexts
, a simple boolean attribute is added to the
global object:
partial interface WindowOrWorkerGlobalScope { +partial interface WindowOrWorkerGlobalScope { readonly attribute boolean isSecureContext; };-WindowOrWorkerGlobalScope
does not appear to be defined in W3C’s +WindowOrWorkerGlobalScope
does not appear to be defined in W3C’s HTML. For the purposes of that specification, the IDL above could be interpreted as:interface GlobalSecureContext { @@ -2023,11 +2035,11 @@w3c/html#522.
The
+ returnsisSecureContext
attribute’s getter - returnstrue
if §3.1 Is settings object a secure context? returns "Secure
" when executed uponthis
global object’s relevant settings object, andfalse
otherwise.true
if §3.1 Is the environment settings object settings a secure context? returns "Secure
" when executed uponthis
global object’s relevant settings object, andfalse
otherwise.
Given an environment settings object (settings) this algorithm
returns "Secure
" if the object represents a context which the user agent
obtained via a secure channel, and "Not Secure
" otherwise.
If §3.1 Is settings object a secure context? returns "Not Secure
" when executed upon document’s relevant settings object, return "Not Secure
".
Assert: Workers must be same-origin with the context that created + them, so document’s relevant settings object’s origin and HTTPS + state is the same as global’s relevant settings + object’s origin and HTTPS state.
+If §3.1 Is the environment settings object settings a secure context? returns "Not Secure
" when executed upon document’s relevant settings object, return "Not Secure
".
Return "Secure
".
Note: Given the assertion above, if we’ve reached this step, the + worker must have been created from a secure context, and + therefore must itself be a secure context.
Assert: global is a Window
.
Assert: global is a Window
.
Let document be settings’s responsible document.
If settings object’s responsible document has an creator
- browsing context whose creator context security is "Not Secure
", return "Not Secure
".
Note: Since we take account of creator browsing contexts' +
Return "Not Secure
" if any of the following are true:
document’s active sandboxing flag set contains the sandboxed secure browsing context flag.
+Note: This check is "at risk". See §2.2.1 Sandboxing for details.
+document has an creator browsing context (context), and context’s creator context security is "Not Secure
".
Note: Since we take account of creator browsing contexts' status, a popups' status depends on how it is opened, as discussed in §1.1 Top-level Documents.
-The 'creator context security' concept landed in +
The 'creator context security' concept landed in WHATWG’s HTML in whatwg/html#1561, but doesn’t yet exist in W3C’s HTML. <https://github.com/w3c/html/issues/524>
-If settings object’s responsible document’s active sandboxing
- flag set contains the sandboxed secure browsing context flag,
- return "Not Secure
".
NOTE: This check is "at risk". See §2.2.1 Sandboxing for - details.
-If settings object’s HTTPS state is "modern
", return
- "Secure
".
srcdoc
Document
s
- inherit their ancestor’s HTTPS state (as do other kinds of
- requests which inherit their requestor’s origin: see the basic
- fetch algorithm for details on some of these [FETCH]).
- We only continue past this check in order to allow resources
- delivered from "trustworthy" but unauthenticated locations like http://127.0.0.1/
to be treated as creating a secure context.
Let origin be settings object’s origin.
-If origin is an opaque origin, set origin to the origin of settings object’s creation - URL.
-Note: We use the origin of the URL here because sandboxed content that
- is treated as being in a unique origin (e.g. <iframe sandbox src="http://127.0.0.1/">
) would otherwise be treated as
- non-trustworthy by §3.2 Is origin potentially trustworthy?. Since sandboxing is a
- strict reduction in the content’s capabilities, and therefore in the
- risk it poses, we look at the origin of its URL to determine whether we
- would have considered it trustworthy had it not been sandboxed.
If the result of executing the §3.2 Is origin potentially trustworthy? algorithm
- on origin is not "Potentially Trustworthy
", then
- return "Not Secure
".
settings’s HTTPS state is "deprecated
".
document’s active sandboxing flag set includes the sandboxed origin browsing context flag, and §3.3 Is url potentially trustworthy? returns "Not Trustworthy
" when executed upon settings’s creation URL.
Note: We check the creation URL here because sandboxed content
+ that is treated as being in an opaque origin (e.g. <iframe sandbox="allow-secure-context" src="http://127.0.0.1/">
)
+ would otherwise be treated as non-trustworthy by §3.2 Is origin potentially trustworthy?. Since sandboxing is a strict reduction in
+ the content’s capabilities, and therefore in the risk it poses, we
+ look at the origin of its URL to determine whether we would have
+ considered it trustworthy had it not been sandboxed.
document’s active sandboxing flag set does not include the sandboxed origin browsing context flag, and §3.2 Is origin potentially trustworthy? returns "Not Trustworthy
" when executed
+ upon settings’s origin.
Return "Secure
".
app:
or chrome-extension:
which it can
determine a priori to be trusted (see §7.1 Packaged Applications for detail).
- Given an origin (origin), the following algorithm returns
- "Potentially Trustworthy
" or "Not Trustworthy
" as appropriate.
Given an origin (origin), the following algorithm
+ returns "Potentially Trustworthy
" or "Not Trustworthy
" as appropriate.
If origin is an opaque origin, return "Not Trustworthy
".
Assert: origin is a tuple origin.
+Assert: origin is a tuple origin.
If origin’s scheme is either "https
" or "wss
",
return "Potentially Trustworthy
".
Note: This is meant to be analog to the a priori authenticated URL concept in [MIX].
-Note: The origin of blob:
and filesystem:
URLs is the origin of the
- context in which they were created. Therefore, blobs created in a
- trustworthy origin will themselves be potentially trustworthy. The origin
- of data:
and javascript:
URLs, on the other hand, is an opaque
- origin, which will not be considered potentially trustworthy.
If origin’s host component matches one of the CIDR
notations 127.0.0.0/8
or ::1/128
[RFC4632], return "Potentially Trustworthy
".
Return "Not Trusted
".
Note: Neither origin’s domain nor port has any effect on whether or not it is considered to be a secure context.
+Note: Neither origin’s domain nor port has any effect on whether or not it is considered to be a secure context.
+A potentially trustworthy URL is one which either inherits
+ context from it’s creator (about:blank
, about:srcdoc
) or one whose origin is a potentially trustworthy origin.
+ Given a URL (url), the following algorithm returns "Potentially Trustworthy
" or "Not Trustworthy
" as appropriate:
If url’s scheme is "data
", return "Not Trustworthy
".
Note: This aligns the definition of a secure context with the de facto "data:
URL as opaque origin"
+ behavior that a majority of today’s browsers have agreed upon, rather
+ than the de jure "data:
URL inherits origin"
+ behavior defined in HTML.
If url is "about:blank
" or "about:srcdoc
", return "Potentially Trustworthy
".
Return the result of executing §3.2 Is origin potentially trustworthy? on url’s origin.
+Note: The origin of blob:
and filesystem:
URLs is the origin of the
+ context in which they were created. Therefore, blobs created in a
+ trustworthy origin will themselves be potentially trustworthy.
The §3.1 Is settings object a secure context? algorithm walks through all the ancestors of a +
The §3.1 Is the environment settings object settings a secure context? algorithm walks through all the ancestors of a
particular context in order to determine whether or not the context itself is
secure. Why wouldn’t we consider a securely-delivered document in an iframe
to be secure, in and of itself?
The short answer is that this model would enable abuse. Chrome’s @@ -2190,13 +2213,13 @@
While the algorithms in this document do not perfectly isolate non-secure - contexts from secure contexts (as discussed in §5.1 Incomplete Isolation), the + contexts from secure contexts (as discussed in §5.1 Incomplete Isolation), the ancestor checks provide a fairly robust protection for the guarantees of authentication, confidentiality, and integrity that such contexts ought to ptovide.
Certain web platform features that have a distinct impact on a user’s - security or privacy should be available for use only in secure + security or privacy should be available for use only in secure contexts in order to defend against the threats above. Features available in non-secure contexts risk exposing these capabilities to network attackers:
@@ -2226,7 +2249,7 @@Note: While restricting a feature itself to secure contexts is critical, we ought not forget that facilities that carry such information (such as new network access mechanisms, or other generic functions with access to network data) are equally sensitive.
@@ -2234,7 +2257,7 @@The secure context definition in this document does not completely +
The secure context definition in this document does not completely
isolate a "secure" view on an origin from a "non-secure" view on the same
origin. Exfiltration will still be possible via increasingly esoteric
mechanisms such as the contents of localStorage
/sessionStorage
, storage
events, BroadcastChannel
, and others.
The secure context definition in this document does not in itself have +
The secure context definition in this document does not in itself have any privacy impact. It does, however, enable other features which do have interesting privacy implications to lock themselves into contexts which ensures that specific guarantees can be made regarding integrity, @@ -2273,13 +2296,13 @@
This section is non-normative.
When writing a specification for new features, we recommend that authors - and editors guard sensitive APIs with checks against secure contexts. + and editors guard sensitive APIs with checks against secure contexts. For example, something like the following might be a good approach:
Authors could alternatively ensure that sensitive APIs are only exposed to secure contexts by guarding them with the [SecureContext]
attribute:
Authors could alternatively ensure that sensitive APIs are only exposed to secure contexts by guarding them with the [SecureContext]
attribute:
[SecureContext] @@ -2308,16 +2331,16 @@7.4
This section is non-normative.
The list above clearly includes some existing functionality that is currently available to the web over non-secure channels. We recommend that such legacy - functionality be modified to begin requiring a secure context as + functionality be modified to begin requiring a secure context as quickly as is reasonably possible [W3C-PROCESS].
If such a feature is not widely implemented, we recommend that the specification be immediately modified to include a restriction - to secure contexts.
+ to secure contexts.If such a feature is widely implemented, but not yet in wide use, we - recommend that it be quickly restricted to secure contexts by + recommend that it be quickly restricted to secure contexts by adding a check as described in §7.3 Restricting New Features to existing implementations, and modifying the specification accordingly.
If such a feature is in wide use, we recommend that the existing @@ -2333,8 +2356,8 @@
Modify the specification to include - checks against secure context before executing the algorithms for
-getCurrentPosition()
andwatchPosition()
.If the current settings object is not a secure context, + checks against secure context before executing the algorithms for
+getCurrentPosition()
andwatchPosition()
.If the current settings object is not a secure context, then the algorithm should be aborted, and the
errorCallback
invoked with acode
ofPERMISSION_DENIED
.The user agent should announce clear intentions to disable the API for @@ -2406,16 +2429,12 @@
isSecureContext, in §2.2.3
- non-secure context, in §2
- potentially trustworthy origin, in §3.2 +
- potentially trustworthy URL, in §3.3
- sandboxed secure browsing context flag, in §2.2.1
- secure context, in §2
Terms defined by reference
-
- - [FETCH] defines the following terms: -
-
- basic fetch -
- [GEOLOCATION-API] defines the following terms:
@@ -2425,6 +2444,7 @@
-[HTML] defines the following terms: @@ -2435,6 +2455,7 @@
Window
- active sandboxing flag set
- browsing context +
- concept origin
- creation url
- creator browsing context
- current settings object @@ -2446,11 +2467,12 @@
iframe
- opaque origin
- opener browsing context -
- origin +
- origin
- parse the sandboxing directive
- port
- relevant settings object
- responsible document +
- sandboxed origin browsing context flag
- scheme
- the environment settings object's global object
- top-level browsing context @@ -2461,12 +2483,6 @@
- a priori authenticated url
- - [WHATWG-URL] defines the following terms: -
-
- origin of a url -
- scheme -
- [W3C-PROCESS] defines the following terms:
@@ -2485,6 +2501,17 @@
+WorkerGlobalScope
- the worker's documents
- + [WHATWG-URL] defines the following terms: + +
- + [WHATWG-URL] defines the following terms: +
+
- scheme +
References
Normative References
@@ -2514,8 +2541,6 @@Rich Tibbett. Network Service Discovery. 20 February 2014. WD. URL: http://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html
- [ENCRYPTED-MEDIA]
- David Dorwin; et al. Encrypted Media Extensions. 5 July 2016. CR. URL: https://w3c.github.io/encrypted-media/ -
- [FETCH] -
- Anne van Kesteren. Fetch Standard. Living Standard. URL: https://fetch.spec.whatwg.org/
- [FULLSCREEN]
- Anne van Kesteren. Fullscreen API Standard. Living Standard. URL: https://fullscreen.spec.whatwg.org/
- [GEOLOCATION-API] @@ -2546,7 +2571,7 @@
Cameron McCormack; Boris Zbarsky. Web IDL (Second Edition). 23 June 2016. ED. URL: https://heycam.github.io/webidl/
IDL Index
-partial interface WindowOrWorkerGlobalScope { +partial interface WindowOrWorkerGlobalScope { readonly attribute boolean isSecureContext; }; @@ -2565,7 +2590,7 @@↵
WindowOrWorkerGlobalScope
does not appear to be defined in W3C’s
+ WindowOrWorkerGlobalScope
does not appear to be defined in W3C’s
HTML. For the purposes of that specification, the IDL above could be
interpreted as:
interface GlobalSecureContext { @@ -2579,7 +2604,7 @@The 'creator context security' concept landed in WHATWG’s HTML in whatwg/html#1561, - but doesn’t yet exist in W3C’s HTML. <https://github.com/w3c/html/issues/524> ↵