[whatwg] "secure" attribute in Storage section of WA spec
Ian Hickson
ian at hixie.ch
Mon Jun 26 09:58:41 PDT 2006
On Mon, 26 Jun 2006, Gervase Markham wrote:
> >
> > interface StorageItem {
> > attribute boolean secure;
> > attribute DOMString value;
> > };
>
> I would like to suggest the the "secure" attribute be an integer rather
> than a boolean, initially with 0 meaning insecure, and 1 meaning secure.
>
> So, for example, you could have StorageItems which were only returned if
> the page on the site was secured with a new EV cert, and was not
> accessible to pages which had an ordinary cert or no cert.
Is it ever possible to get an "ordinary cert" which claims to identify
some domain, but which was not purchased by the owners of that domain? The
only reason for the "secure" attribute is to avoid DNS spoofing; the flag
has two values -- allow DNS to be spoofed and return the item whether or
not the site was spoofed, and only return the item if the site's
certificate matched the domain name of the site.
I'm happy to make it a tristate flag, but I'd want to better understand
why that would make it more secure. If it would make it more secure, that
would imply some pretty worrying things about TLS today.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list