Skip to content

Restrict API to secure contexts #413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 27, 2017
Merged

Restrict API to secure contexts #413

merged 4 commits into from
Feb 27, 2017

Conversation

markafoltz
Copy link
Contributor

Address Issue #380: Authenticity of screen selection permission is problematic in insecure contexts

This restricts the use of Presentation API to secure contexts through the use of [SecureContext]. Also:

  • Mixed content check is simplified
  • Examples are updated to use https:
  • Use correct term for a priori authenticated URL
  • Remove xref to potentially trustworthy origin as it's unused
  • Remove discussion of insecure origin display

@markafoltz
Copy link
Contributor Author

@mikewest @annevk

@annevk
Copy link
Member

annevk commented Feb 25, 2017

Looks good. Thanks!

mikewest
mikewest approved these changes Feb 26, 2017
View reviewed changes
Copy link
Member

@mikewest mikewest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

\o/

tidoust
tidoust reviewed Feb 27, 2017
View reviewed changes
Copy link
Member

@tidoust tidoust left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One typo, looks good to me otherwise

index.html Outdated
Security Contexts"</code> and any member of
<var>presentationUrls</var> is an <a>a priori unauthenticated
URL</a>, then throw a <a>SecurityError</a> and abort these steps.
<li>If any member of <var>presentationUrls</var> is an not an <a>a
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/an not an/not an/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@anssiko
Copy link
Member

anssiko commented Feb 27, 2017

LGTM.

I noticed there's a ReSpec auto-linking issue ([SecureContext] links are broken) and reported it at https://github.com/w3c/respec/issues/989#issuecomment-282699377

We don't need to block on the ReSpec bug, and we're good to merge when comments have been addressed (can manually fix the broken links at publication time).

@anssiko anssiko mentioned this pull request Feb 27, 2017
Closed
6 tasks
@markafoltz markafoltz merged commit 7d5ffe9 into gh-pages Feb 27, 2017
@markafoltz markafoltz deleted the issue-380-securecontext branch February 27, 2017 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tidoust tidoust tidoust left review comments

@mikewest mikewest mikewest approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@markafoltz @annevk @anssiko @mikewest @tidoust