Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Describe when features should be limited to secure contexts. #75

Closed
wants to merge 15 commits into from
Closed

Describe when features should be limited to secure contexts. #75

Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
64e63a4
Describe when features should be limited to secure contexts.
dbaron Aug 23, 2017
fedee9d
Fix typo pointed out by annevk and jonathanKingston.
dbaron Aug 24, 2017
06189de
Change example about DOM events, per annevk.
dbaron Aug 24, 2017
29a876c
Make advice clearer and stronger in response to feedback, and restruc…
dbaron Aug 25, 2017
68a8522
Fix missing 'with'.
dbaron Aug 25, 2017
85009e1
Fix missing word pointed out by annevk.
dbaron Aug 25, 2017
ecb1acf
Remove paragraph that was too perscriptive.
dbaron Sep 30, 2017
9d9bb9c
Various edits to reflect the discussion in Nice.
dbaron Sep 30, 2017
0392c19
Merge 2 paragraphs that ended up nearly identical.
dbaron Sep 30, 2017
b465795
Wordsmith.
dbaron Sep 30, 2017
f7a2d20
Address @mikewest's concern that this sentence undercuts the prior on…
dbaron Oct 13, 2017
ee93b93
Cut down on feature detection prose, in favor of new section in #82.
dbaron Oct 13, 2017
6d90d7c
Reword to address @mikewest comment about features that depend on gua…
dbaron Oct 14, 2017
dfdd321
Move paragraph, per @mikewest suggestion.
dbaron Oct 14, 2017
a6cb3c3
Reword sentence on informing the TAG, again.
dbaron Oct 14, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -345,6 +345,65 @@ and on when to use promises and when not to use promises,
see <strong><a href="https://www.w3.org/2001/tag/doc/promises-guide">Writing
Promise-Using Specifications</a></strong>.

<h3 id="secure-context">Limit new and distinct APIs to secure contexts</h3>

Many new APIs should be available only in
<a href="https://w3c.github.io/webappsec-secure-contexts/">secure contexts</a>.
This restriction exists for two reasons.
First, it helps encourage Web content and applications
to migrate to secure contexts.
Second, it can restrict new APIs where authentication, integrity, or confidentiality
are important to prevent substantial increases to the privacy or security risks of using the Web.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest reversing these. At least from Chrome's perspective, the latter has been the the overriding concern internally.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But the first is the main goal. If you make the second the main goal, it's easier for folks to weasel their way into an exception.

For more detail, see the W3C TAG Finding on
<a href="https://www.w3.org/2001/tag/doc/web-https">Securing the Web</a>.

When the new feature is defined in
<a href="https://heycam.github.io/webidl/">WebIDL</a>,
specification authors can limit a feature to secure contexts
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can or should?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this one actually meant can; this was a description of facts, not a conformance requirement.

by marking new interfaces and methods with the
<code>[<a href="https://w3c.github.io/webappsec-secure-contexts/#integration-idl">SecureContext</a>]</code> extended attribute
on interfaces, namespaces, or their members (such as methods and attributes).
Similar ways of marking features as limited to secure contexts should be added
to other points where the Web platform is extended over time
(for example, the definition of a new CSS property).
However, for some times of extension points (e.g., new DOM events),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't parse this sentence.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/times/types/ ?

limitation to secure contexts should just
be defined in normative prose in the specification.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the new event comes with a new interface it's quite easy to restrict it though. Maybe you should clarify this by talking about "dispatching an event" instead.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: I'd suggest that you move this paragraph up above the "And here are some exceptions" bit. Then the structure would be something like:

  1. Y'all should do this thing.
  2. Here's why you should do this thing.
  3. Here's how you should do this thing.
  4. And if you really don't want to do this thing, here's some things to think about.

That seems like a clearer message to me.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reordered the paragraphs.


When deciding whether a feature should be limited to secure contexts,
we suggest considering the following factors:

: Does the feature have a clear and understandable boundary?

:: A feature that is limited to secure contexts
should be recognizable by the developers who use it as
distinct from features that are available in non-secure contexts.
This will reduce developer confusion about where the boundaries are.
For example, a new CSS property is a distinct feature,
whereas the ability to omit the commas in the CSS ''rgb()'' function is not.
New features that are clearly distinct
should generally be limited to secure contexts.
However, there are many cases where whether a feature is clearly distinct
is a matter of judgment.


: Does the feature depend on being in a secure context?

:: If a feature depends on
the expectations of authentication, integrity, or confidentiality
that are met only in secure contexts,
then it should be limited to secure contexts,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

must?

even if it is not a clearly distinct feature as described in the previous point.
For example, a feature that communicates with USB devices
if those devices have allowed
Web content from the site's origin
to communicate those USB devices
depends on the authentication of the origin
and the integrity of the data
sent to the USB device,
since sending untrusted data to a USB device could damage that device
or compromise computers that the device connects to.

<h2 id="event-design">Event Design</h2>

<h3 id="always-add-event-handlers">Always add event handler attributes</h3>
Expand Down