"Particularly powerful" would mean ... generally any feature that
we would provide a user-settable permission or privilege to.
>> I think the inclusion of file:/// is somewhat problematic, since it isA special problem here is also how to scope the permission if ever
>> not implied that the content arrived over a secure channel,
>
> Right. "But it's here now." Perhaps we should take file: off the list,
> perhaps we should find some way to tag files as having come from
> secure transport, or...
granted by the user. A permission granted to
file:///installed_app/bar.html probably shouldn't carry over to
file:///some/random/downloaded/thing.html.
There is, I think, a balance.
The examples you gave are examples where we default positive (allow), but then allow the user to deny. In effect, all origins BUT X have access to a permission.
However, for permissions where the assumption is default-deny (or prompt), those are certainly in scope. That's because if you grant Origin X access, and X is an origin delivered over an insecure transport, you've granted it to all origins, in effect.
Would it make more sense to clarify that its in response to deny-by-default permissions? geolocation, audio, video all come to mind as modern deny features that would, ideally, have been restricted for the reasons listed - though that horse has long since left the barn.
On Jun 27, 2014 5:02 PM, "'Peter Kasting' via Security-dev" <securi...@chromium.org> wrote:
> On Fri, Jun 27, 2014 at 3:55 PM, 'Chris Palmer' via blink-dev <blin...@chromium.org> wrote:
>> "Particularly powerful" would mean ... generally any feature that
>>
>> we would provide a user-settable permission or privilege to.
>
> I don't really understand this last clause. Users of browsers can set many permissions, e.g. in Chrome the user can grant or deny sites the ability to use plugins, open popup windows, run Javascript, etc. I doubt you intended to suggest that a new feature with a similar scope to those should be restricted.
There is, I think, a balance.
The examples you gave are examples where we default positive (allow), but then allow the user to deny. In effect, all origins BUT X have access to a permission.
However, for permissions where the assumption is default-deny (or prompt), those are certainly in scope. That's because if you grant Origin X access, and X is an origin delivered over an insecure transport, you've granted it to all origins, in effect.
geolocation, audio, video all come to mind as modern deny features that would, ideally, have been restricted for the reasons listed - though that horse has long since left the barn.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.