New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define security requirements for messaging channel between secure origins #80
Comments
Tagged this for F2F discussion. @mfoltzgoogle mentioned having had "preliminary discussions in Chrome about this, but nothing firm enough to propose, so I'm glad to have an opportunity to discuss this in the group." So let's discuss at F2F latest :-) |
PROPOSED RESOLUTION: keep issue 80 open while we gather more implementation experience. Highlight issue asking for feedback when getting in touch with PING / Web security IG See relevant discussion during first day of Berlin F2F: |
Re-adding F2F tag so that we can review feedback from PING/TAG and reports from implementations in October. |
We would like to propose some ideas for discussion on this topic at the F2F (actually, more leaning towards possible solutions than just requirements). Might also be worth a session in the Unconference part of TPAC to get wider visibility of the problem. So, I support Mark's addition of the F2F tag. Btw, has there been any TAG discussion of this ? |
The TAG prepared a draft review of the Presentation API. The relevant part appears more descriptive than prescriptive: [[ |
See relevant discussion at TPAC F2F: RESOLUTION: For issue #80, close issue as out of scope, and focus on informative guidelines in security section. |
Before closing this, we need to update the spec to take account of https://www.w3.org/2015/10/29-webscreens-minutes.html#action07
As well as polish the text in the security section. |
I think the spec reflects the current thinking about cross-origin connection in the working group. We'll probably revisit this as we make progress on network-level specification, but I'm closing this for now. |
public-secondscreen thread:
While discussing the Hbb 2.0 TV standard, the issue of how WebSockets would be used to communicate between the controlling Web application and the presenting TV Web application.
If these Web applications are provided on secure (
https://
) origins, some guarantees of message confidentiality and authenticity of either party should be made to meet the standards set out by the Mixed Content proposal.This issue will be addressed by a spec change to spell out the security requirements for the messaging channel as part of the Security and Privacy sections of the spec.
The text was updated successfully, but these errors were encountered: