Closed bzbarsky closed 8 years ago
mikewest
commented
8 years ago https://github.com/w3c/webappsec-secure-contexts/commit/d2db6fb6045bb1f40c36cd54428cc7193b040af6 addresses this (for this spec) by skipping the check for opaque identifier origins. I'll poke at MIX in a separate patch.
mikewest
commented
8 years ago Between these two patches, I think the specs define sane behavior. WDYT?
bzbarsky
commented
8 years ago @mikewest So we're just not referencing MIX now at all?
mikewest
commented
8 years ago MIX drops the 'potentially secure origin' definition, as it's confusing and unnecessary, and it turns out that MIX really cares more about URLs and responses than origins.
Perhaps focusing on origins in this spec is equally confusing. Hrm.
jwatt
commented
8 years ago Perhaps focusing on origins in this spec is equally confusing. Hrm.
Perhaps, but maybe that can be considered in a separate issue, since I think this one is now resolved.
Do you agree bzbarsky?
bzbarsky
commented
8 years ago @jwatt Agree that this one is resolved, or that origins-vs-URIs should be considered separately?
jwatt
commented
8 years ago @bzbarsky Agree that this one is resolved.
bzbarsky
commented
8 years ago Yeah, looks resolved to me.
http://www.w3.org/TR/mixed-content/#potentially-secure-origin assumes origins have a scheme component.
So does https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy step 2 and so forth.
But globally unique identifier values do not have those components. Since those values can end up in this algorithm as far as I can tell, the behavior for them needs to be defined.