-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe when features should be limited to secure contexts. #75
Changes from 10 commits
64e63a4
fedee9d
06189de
29a876c
68a8522
85009e1
ecb1acf
9d9bb9c
0392c19
b465795
f7a2d20
ee93b93
6d90d7c
dfdd321
a6cb3c3
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -345,6 +345,81 @@ and on when to use promises and when not to use promises, | |
see <strong><a href="https://www.w3.org/2001/tag/doc/promises-guide">Writing | ||
Promise-Using Specifications</a></strong>. | ||
|
||
<h3 id="secure-context">Limit new features to secure contexts</h3> | ||
|
||
New capabilities added to the Web should be available only in | ||
<a href="https://w3c.github.io/webappsec-secure-contexts/">secure contexts</a>. | ||
Exposing them in non-secure contexts | ||
is discouraged and requires strong justification. | ||
The TAG is interested in hearing about and discussing cases | ||
where it is unclear whether exposing the capability | ||
in non-secure contexts is justifiable. | ||
|
||
This restriction exists for two reasons. | ||
First, it helps encourage Web content and applications | ||
to migrate to secure contexts. | ||
Second, some new features depend on authentication, integrity, or confidentiality | ||
to prevent substantial increases to the privacy or security risks of using the Web. | ||
For more detail, see the W3C TAG Finding on | ||
<a href="https://www.w3.org/2001/tag/doc/web-https">Securing the Web</a>. | ||
|
||
The most common justification that we expect | ||
for supporting a new capability in non-secure contexts | ||
is that the new capability is not recognizably separate | ||
from an existing feature that is available in non-secure contexts. | ||
In this case, limiting it to secure contexts could cause | ||
developer confusion about where the boundaries are. | ||
We also don't want to increase | ||
the complexity of implementations of Web technology | ||
by requiring tests for secure contexts in too many *types* of places. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't really understand this claim. Can you help me out? What "types of places" do you mean? The example below didn't help me (but I'm also not really a CSS guy, so the distinction between the difficulty of detecting a new property vs new syntax isn't clear to me... it seems like the former would be easier, though?). :( There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What I mean by this is that for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For WebIDL, Chrome checks when generating bindings for a given context (e.g. everything is wrapped up in the I think I agree with the thrust of your comments here, but I still don't really understand what this paragraph is telling feature designers. Does it boil down to "Use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it boils down to "use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we make it a requirement for specs to have web platform tests so that all browsers are consistent in how these features are hidden/fail? Such that "For deprecations or places where [SecureContext] isn't relevant, we do inline checks at the entry point to the API" behaves consistently? |
||
For example, exposing to non-secure contexts a new CSS property | ||
that adds support for a new line spacing model | ||
cannot be justified on this basis, | ||
but exposing the ability to omit the commas in the CSS ''rgb()'' function can. | ||
|
||
The existence of new features should generally be detectable, | ||
so that web content can act appropriately if the feature is present or not. | ||
This applies both to features that are not present because they are not implemented, | ||
and to features that are not present in a non-secure context because | ||
they are limited to secure contexts. | ||
Putting this another way, | ||
a feature that is limited to secure contexts should, in non-secure contexts, | ||
be indistinguishable from a feature that is not implemented. | ||
However, if, for some reason | ||
(a reason that itself requires serious justification), | ||
it is not possible for developers to detect whether a feature is present, | ||
limiting the feature to secure contexts | ||
might cause problems | ||
for libraries that may be used in either secure or non-secure contexts. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This paragraph seems like a distinct design principle ("Thou shalt enable feature detection.") that you could discuss at length elsewhere, and reference here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I moved this into #82 and revised the text. |
||
|
||
If a feature depends on | ||
the expectations of authentication, integrity, or confidentiality | ||
that are met only in secure contexts, | ||
then it must be limited to secure contexts, | ||
even if the other factors above could justify exposing it in non-secure contexts. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't see it as the feature depending on authentication, integrity, or confidentiality, but instead the feature posing some risk to user privacy or security which is mitigated only by requiring authentication, integrity, and confidentiality. I mean, at some level, all features depend on the page's integrity, right? :) WDYT about something like "If a feature poses a risk to user privacy or security which can be mitigated by requiring authentication, integrity, and confidentiality, the feature must be limited to secure contexts, ..."? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. To avoid the "poses a risk" in your wording that makes it sound like the feature is problematic, I think I'm going to try:
|
||
For example, a feature that communicates with USB devices | ||
if those devices have allowed | ||
Web content from the site's origin | ||
to communicate with those USB devices | ||
depends on the authentication of the origin | ||
and the integrity of the data | ||
sent to the USB device, | ||
since sending untrusted data to a USB device could damage that device | ||
or compromise computers that the device connects to. | ||
|
||
Specification authors can limit most features defined in | ||
<a href="https://heycam.github.io/webidl/">WebIDL</a>, | ||
to secure contexts | ||
by using the | ||
<code>[<a href="https://w3c.github.io/webappsec-secure-contexts/#integration-idl">SecureContext</a>]</code> extended attribute | ||
on interfaces, namespaces, or their members (such as methods and attributes). | ||
Similar ways of marking features as limited to secure contexts should be added | ||
to other major points where the Web platform is extended over time | ||
(for example, the definition of a new CSS property). | ||
However, for some types of extension points (e.g., dispatching an event), | ||
limitation to secure contexts should just | ||
be defined in normative prose in the specification. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If the new event comes with a new interface it's quite easy to restrict it though. Maybe you should clarify this by talking about "dispatching an event" instead. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nit: I'd suggest that you move this paragraph up above the "And here are some exceptions" bit. Then the structure would be something like:
That seems like a clearer message to me. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I reordered the paragraphs. |
||
|
||
<h2 id="event-design">Event Design</h2> | ||
|
||
<h3 id="always-add-event-handlers">Always add event handler attributes</h3> | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sentence is odd, as it directly undercuts the rest of the paragraph. Have the courage of your convictions!
If y'all feel the need to weaken the claim that "New capabilities added to the Web should be available only in secure context", I'd suggest doing so weakly. Perhaps "There may be reasonable justification for exposing a given capability in non-secure contexts; the TAG is interested in hearing about those edge cases, and working to resolve them."?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about just:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or, simpler:
(I'm pulling the "working to resolve" because I suspect that much of what we hear about might qualify as "not a new feature".)