18085 – "all content using the http+aes scheme on the same host (and same port) shares the same origin and can therefore leak the keys" - unless there's a use case for supporting this, it seems more robust to make http(s)+aes never be same-origin

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 18085 - "all content using the http+aes scheme on the same host (and same port) shares the same origin and can therefore leak the keys" - unless there's a use case for supporting this, it seems more robust to make http(s)+aes never be same-origin

Summary: "all content using the http+aes scheme on the same host (and same port) share...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	HTML5 spec (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	---
Assignee:	This bug has no owner yet - up for the taking
QA Contact:	HTML WG Bugzilla archive list

URL:	http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-07-18 17:13 UTC by contributor
Modified:	2012-10-22 07:32 UTC (History)
CC List:	5 users (show)

See Also:

Attachments

Description contributor 2012-07-18 17:13:33 UTC

This was was cloned from bug 16248 as part of operation convergence.
Originally filed: 2012-03-07 08:49:00 +0000

================================================================================
 #0   contributor@whatwg.org                          2012-03-07 08:49:00 +0000 
--------------------------------------------------------------------------------
Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/iana.html
Multipage: http://www.whatwg.org/C#http+aes-scheme
Complete: http://www.whatwg.org/c#http+aes-scheme

Comment:
"all content using the http+aes scheme on the same host (and same port) shares
the same origin and can therefore leak the keys" - unless there's a use case
for supporting this, it seems more robust to make http(s)+aes never be
same-origin

Posted from: 88.131.66.80 by simonp@opera.com
User agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.7.2; U; en) Presto/2.10.229 Version/11.61
================================================================================

Comment 1 Michael[tm] Smith 2012-10-22 07:32:45 UTC

The http+aes scheme/feature is not part of the W3C HTML5 spec and has also been dropped from the upstream WHATWG HTML spec.