diff --git a/WD.html b/WD.html index d6c022d..027d902 100644 --- a/WD.html +++ b/WD.html @@ -43,57 +43,6 @@ [data-md] > :last-child { margin-bottom: 0; } - - + + +

-

Secure Contexts

-

W3C Working Draft,

+

Secure Contexts

+

W3C Working Draft,

This version: -
http://www.w3.org/TR/2016/WD-secure-contexts-20160506/ +
http://www.w3.org/TR/2016/WD-secure-contexts-20160715/
Latest published version:
http://www.w3.org/TR/secure-contexts/
Editor's Draft: @@ -242,29 +315,6 @@

Status of this document

-

This section describes the status of this document at the time of - its publication. Other documents may supersede this document. A list of - current W3C publications and the latest revision of this technical report - can be found in the W3C technical reports - index at http://www.w3.org/TR/.

-

This document was published by the Web Application Security Working Group as a Working Draft. This document is intended to become a W3C Recommendation.

-

The (archived) public mailing list public-webappsec@w3.org (see instructions) - is preferred for discussion of this specification. - When sending e-mail, - please put the text “secure-contexts” in the subject, - preferably like this: - “[secure-contexts] …summary of comment…

-

Publication as a Working Draft does not imply endorsement by the W3C - Membership. This is a draft document and may be updated, replaced or - obsoleted by other documents at any time. It is inappropriate to cite this - document as other than work in progress.

-

This document was produced by the Web Application Security Working Group.

-

This document was produced by a group operating under - the 5 February 2004 W3C Patent Policy. - W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; - that page also includes instructions for disclosing a patent. - An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

-

This document is governed by the 1 September 2015 W3C Process Document.

@@ -702,8 +752,7 @@

2. Framework

-

A settings object is considered a secure context#secure-contextReferenced in:1.1. Top-level Documents (2)1.2. Framed Documents (2) (3)1.3. Web Workers (2) (3) (4)1.4. Shared Workers (2) (3) (4)1.5. Service Workers (2) (3)2. Framework (2)2.2.1. Shared Workers (2) (3)2.2.2. Feature Detection (2)3.1. - Is settings object a secure context? 4.2. Ancestral Risk4.3. Risks associated with non-secure contexts (2)5.1. Incomplete Isolation6. Privacy Considerations7.3. Restricting New Features (2) (3)7.4. Restricting Legacy Features (2) (3)7.4.1. Example: Geolocation (2) if +

A settings object is considered a secure context if the algorithm in §3.1 Is settings object a secure context? returns "Secure". The settings object is otherwise non-secure.

Likewise, a global object is considered a secure context if its relevant settings object is a secure context.

@@ -714,21 +763,21 @@

-
interface ExampleFeature {
+
interface ExampleFeature {
   // This call will succeed in all contexts.
-  Promise <double> calculateNotSoSecretResult();
+  Promise <double> calculateNotSoSecretResult();
 
   // This operation will not be exposed to a non-secure context.
-  [SecureContext] Promise<double> calculateSecretResult();
+  [SecureContext] Promise<double> calculateSecretResult();
 
   // The same applies here: the operation will not be exposed to a non-secure context.
-  [SecureContext] boolean getSecretBoolean();
+  [SecureContext] boolean getSecretBoolean();
 };
 
-[SecureContext]
-interface SecureFeature {
+[SecureContext]
+interface SecureFeature {
   // This interface will not be exposed to non-secure contexts.
-  Promise<any> doAmazingThing();
+  Promise<any> doAmazingThing();
 };

@@ -747,7 +796,7 @@

  1. -

    If the result of executing §3.1 Is settings object a secure context? on the incumbent +

    If the result of executing §3.1 Is settings object a secure context? on the current settings object does not match the result of executing the same algorithm on worker global scope’s relevant settings object, then throw a SecurityError exception, and abort @@ -758,12 +807,12 @@

    secure contexts, a simple boolean attribute is added to the global object:

    -
    partial interface Window {
-  readonly attribute boolean isSecureContext#dom-window-issecurecontextReferenced in:2.2.2. Feature Detection;
+
    partial interface Window {
+  readonly attribute boolean isSecureContext;
 };
 
-partial interface WorkerGlobalScope {
-  readonly attribute boolean isSecureContext#dom-workerglobalscope-issecurecontextReferenced in:2.2.2. Feature Detection;
+partial interface WorkerGlobalScope {
+  readonly attribute boolean isSecureContext;
 };
 
    
     
    Both Window's isSecureContext and WorkerGlobalScope's isSecureContext attributes' getters return true if the relevant settings object for the getter’s global object is a secure context, and false otherwise.
    
@@ -829,7 +878,7 @@ 
    Secure".

3.2. Is origin potentially trustworthy?

-

A potentially trustworthy origin#potentially-trustworthy-originReferenced in:1.2. Framed Documents1.3. Web Workers is one which a user agent +

A potentially trustworthy origin is one which a user agent can generally trust as delivering data securely.

This algorithms considers certain hosts, scheme, and origins as potentially trustworthy, even though they might not be authenticated and encrypted in the @@ -1003,11 +1052,11 @@

7.3. <

When writing a specification for new features, we recommend that authors and editors guard sensitive APIs with checks against secure contexts. For example, something like the following might be a good approach:

-
- +
+
  1. - If the incumbent settings object is not a secure + If the current settings object is not a secure context, then:
    1. [insert something appropriate here: perhaps a Promise could be @@ -1016,19 +1065,18 @@

      7.3. <

-

Authors should also ensure that sensitive APIs are only exposed to secure - contexts by guarding them with the [SecureContext] attribute:

+

Authors could alternatively ensure that sensitive APIs are only exposed to secure contexts by guarding them with the [SecureContext] attribute:

-
[SecureContext]
-interface SensitiveFeature {
-  Promise<double> getTheSecretDouble();
+
[SecureContext]
+interface SensitiveFeature {
+  Promise<double> getTheSecretDouble();
 };
 
 // Or:
 
-interface AnotherSensitiveFeature {
-  [SecureContext] void doThatPowerfulThing();
+interface AnotherSensitiveFeature {
+  [SecureContext] void doThatPowerfulThing();
 };
@@ -1062,7 +1110,7 @@

Modify the specification to include checks against secure context before executing the algorithms for getCurrentPosition() and watchPosition().

-

If the incumbent settings object is not a secure context, +

If the current settings object is not a secure context, then the algorithm should be aborted, and the errorCallback invoked with a code of PERMISSION_DENIED.

  • The user agent should announce clear intentions to disable the API for @@ -1170,8 +1218,8 @@

    auxiliary browsing context
  • browsing context
  • creator document +
  • current settings object
  • global object -
  • incumbent settings object
  • opaque identifier
  • opener browsing context
  • origin @@ -1199,7 +1247,6 @@

    [WebIDL-1] defines the following terms:
  • @@ -1224,11 +1271,11 @@

    Normative References

    [GEOLOCATION-API] -
    Andrei Popescu. Geolocation API Specification. 28 May 2015. PER. URL: http://dev.w3.org/geo/api/spec-source.html +
    Andrei Popescu. Geolocation API Specification. 28 May 2015. PER. URL: https://www.w3.org/TR/geolocation-API/
    [HTML]
    Ian Hickson. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
    [HTML5] -
    Ian Hickson; et al. HTML5. 28 October 2014. REC. URL: http://www.w3.org/html/wg/drafts/html/master/ +
    Ian Hickson; et al. HTML5. 28 October 2014. REC. URL: https://www.w3.org/TR/html5/
    [RFC2119]
    S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119
    [RFC4632] @@ -1236,15 +1283,15 @@

    N
    [W3C-PROCESS]
    Charles McCathie Nevile. World Wide Web Consortium Process Document. URL: http://www.w3.org/2014/Process-20140801/
    [WebIDL-1] -
    Cameron McCormack; Boris Zbarsky. WebIDL Level 1. 8 March 2016. CR. URL: https://heycam.github.io/webidl/ +
    Cameron McCormack; Boris Zbarsky. WebIDL Level 1. 8 March 2016. CR. URL: https://www.w3.org/TR/WebIDL-1/
    [WEBSTORAGE] -
    Ian Hickson. Web Storage (Second Edition). 19 April 2016. REC. URL: https://w3c.github.io/webstorage/ +
    Ian Hickson. Web Storage (Second Edition). 19 April 2016. REC. URL: https://www.w3.org/TR/webstorage/
    [WHATWG-DOM]
    Anne van Kesteren. DOM Standard. Living Standard. URL: https://dom.spec.whatwg.org/
    [WHATWG-URL]
    Anne van Kesteren; Sam Ruby. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/
    [WORKERS] -
    Ian Hickson. Web Workers. 24 September 2015. WD. URL: https://html.spec.whatwg.org/multipage/workers.html +
    Ian Hickson. Web Workers. 24 September 2015. WD. URL: https://www.w3.org/TR/workers/

    Informative References

    @@ -1257,17 +1304,17 @@

    [DISCOVERY]
    Rich Tibbett. Network Service Discovery. URL: https://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html
    [ENCRYPTED-MEDIA] -
    David Dorwin; et al. Encrypted Media Extensions. 28 April 2016. WD. URL: http://www.w3.org/TR/encrypted-media/ +
    David Dorwin; et al. Encrypted Media Extensions. 10 June 2016. WD. URL: https://www.w3.org/TR/encrypted-media/
    [FETCH]
    Anne van Kesteren. Fetch Standard. Living Standard. URL: https://fetch.spec.whatwg.org/
    [FULLSCREEN]
    Anne van Kesteren. Fullscreen API Standard. Living Standard. URL: https://fullscreen.spec.whatwg.org/
    [IndexedDB] -
    Nikunj Mehta; et al. Indexed Database API. 8 January 2015. REC. URL: http://www.w3.org/TR/IndexedDB/ +
    Nikunj Mehta; et al. Indexed Database API. 8 January 2015. REC. URL: https://www.w3.org/TR/IndexedDB/
    [MEDIACAPTURE-STREAMS] -
    Daniel Burnett; et al. Media Capture and Streams. 14 April 2015. LCWD. URL: http://www.w3.org/TR/mediacapture-streams/ +
    Daniel Burnett; et al. Media Capture and Streams. 19 May 2016. CR. URL: https://www.w3.org/TR/mediacapture-streams/
    [MIX] -
    Mike West. Mixed Content. 8 October 2015. CR. URL: https://w3c.github.io/webappsec/specs/mixedcontent/ +
    Mike West. Mixed Content. 8 October 2015. CR. URL: https://www.w3.org/TR/mixed-content/
    [POWERFUL-NEW-FEATURES]
    Chrome Security Team. Prefer Secure Origins For Powerful New Features. URL: https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features
    [RFC6265] @@ -1277,22 +1324,63 @@

    [RFC7258]
    S. Farrell; H. Tschofenig. Pervasive Monitoring Is an Attack. May 2014. Best Current Practice. URL: https://tools.ietf.org/html/rfc7258
    [SERVICE-WORKERS] -
    Alex Russell; Jungkee Song; Jake Archibald. Service Workers. 25 June 2015. WD. URL: http://www.w3.org/TR/service-workers/ +
    Alex Russell; Jungkee Song; Jake Archibald. Service Workers. 25 June 2015. WD. URL: https://www.w3.org/TR/service-workers/
    [VERIZON]
    Mark Bergen; Alex Kantrowitz. Verizon looks to target its mobile subscribers with ads. URL: http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/
    [WEBCRYPTOAPI] -
    Ryan Sleevi; Mark Watson. Web Cryptography API. 11 December 2014. CR. URL: http://www.w3.org/TR/WebCryptoAPI/ +
    Ryan Sleevi; Mark Watson. Web Cryptography API. 11 December 2014. CR. URL: https://www.w3.org/TR/WebCryptoAPI/

    IDL Index

    -
    partial interface Window {
-  readonly attribute boolean isSecureContext;
+
    partial interface Window {
+  readonly attribute boolean isSecureContext;
 };
 
-partial interface WorkerGlobalScope {
-  readonly attribute boolean isSecureContext;
+partial interface WorkerGlobalScope {
+  readonly attribute boolean isSecureContext;
 };
 
 
    
+  
+  
+  
+