search

w3c / webappsec-secure-contexts

WebAppSec Secure Contexts
https://w3c.github.io/webappsec-secure-contexts/
Other
33 stars 38 forks source link

For sandboxed content, allow UAs to use the origin that would have been used if not sandboxed #27

Closed jwatt closed 7 years ago

jwatt commented 8 years ago

Regarding step 5 of the Is settings object a secure context? algorithm:

If origin is an opaque identifier, set origin to the origin of settings object’s creation URL.

Could we insert the following as a step before that:

If origin is an opaque identifier then, if it is possible to determine that this is because settings object is sandboxed and, if it is possible to determine what the origin would have been had settings object not been sandboxed, origin may be set to that origin.

annevk commented 8 years ago

(Also, opaque identifier -> opaque origin.)

jwatt commented 8 years ago

I'm happy to provide PRs if that seems acceptable.

mikewest commented 7 years ago

Can you spell out what this would mean, practically? When can we determine that a document is sandboxed that doesn't involve looking at it's URL? Is this just about data:?

mikewest commented 7 years ago

If there's anything to do here, let's fold it into the discussion at https://github.com/w3c/webappsec-secure-contexts/issues/26.