by jwarren on 1/15/18, 4:05 PM with 17 comments
by nickpsecurity on 1/15/18, 5:35 PM
https://developer.mozilla.org/en-US/docs/Web/Security/Secure...
Features Restricted to Secure Contexts:
https://developer.mozilla.org/en-US/docs/Web/Security/Secure...
Chrome's Secure Origins seem to be the same thing:
https://www.chromium.org/Home/chromium-security/prefer-secur...
by niftich on 1/15/18, 9:08 PM
Declarative code, such as HTML or CSS, which describe particular behaviors of rendering from a broad, but limited palette, are a different severity from imperative code that can interact with various features of your host platform.
As a user, for the web execution trust model to work, you need to know that the code you're about to execute was vetted by originating site and not altered in transit. TLS provides this. It won't help you with easing the cognitive load of making that decision, or extending your trust model to third-party origins referred to by the site you visit, but it does provide baseline assurance that the content wasn't tampered with by an agent that wasn't a party known to you or your origin ahead of time.
As a side-effect, this move serves to further segregate the document-based 'legacy' web and the new web that's an application delivery platform. In my opinion, any move that sets these two use-cases further apart, without necessarily impacting the nameplate usability expectation of either, is a welcome step.
by nicolaslem on 1/15/18, 8:13 PM
I'm personally going the opposite direction, I started using browsing with JS disabled a while ago and found my browsing experience improved.
With the recent security issues, is that really the way we want to go?
by Scaevolus on 1/16/18, 3:20 AM
How is local development supposed to occur?
E: there's going to be some flag to enable it for development