aboutsummaryrefslogtreecommitdiff
path: root/files/zh-cn/web/security/secure_contexts
diff options
context:
space:
mode:
authorPeter Bengtsson <mail@peterbe.com>2020-12-08 14:40:17 -0500
committerPeter Bengtsson <mail@peterbe.com>2020-12-08 14:40:17 -0500
commit33058f2b292b3a581333bdfb21b8f671898c5060 (patch)
tree51c3e392513ec574331b2d3f85c394445ea803c6 /files/zh-cn/web/security/secure_contexts
parent8b66d724f7caf0157093fb09cfec8fbd0c6ad50a (diff)
downloadtranslated-content-33058f2b292b3a581333bdfb21b8f671898c5060.tar.gz
translated-content-33058f2b292b3a581333bdfb21b8f671898c5060.tar.bz2
translated-content-33058f2b292b3a581333bdfb21b8f671898c5060.zip
initial commit
Diffstat (limited to 'files/zh-cn/web/security/secure_contexts')
-rw-r--r--files/zh-cn/web/security/secure_contexts/index.html72
1 files changed, 72 insertions, 0 deletions
diff --git a/files/zh-cn/web/security/secure_contexts/index.html b/files/zh-cn/web/security/secure_contexts/index.html
new file mode 100644
index 0000000000..d658bbb4a0
--- /dev/null
+++ b/files/zh-cn/web/security/secure_contexts/index.html
@@ -0,0 +1,72 @@
+---
+title: Secure contexts
+slug: Web/Security/Secure_Contexts
+translation_of: Web/Security/Secure_Contexts
+---
+<p><span class="seoSummary"><strong>安全上下文</strong>是 <code>Window</code> 与 <code>Worker</code> 中的概念</span>满足了最低标准的身份验证和机密性<span class="seoSummary">.</span> 许多Web APIs的访问仅能在安全上下文中. 安全上下文的主要目标是防止 {{interwiki("wikipedia", "man-in-the-middle attack", "MITM attackers")}} 强大的APIs被坏人利用.</p>
+
+<h2 id="为什么要限制某些功能">为什么要限制某些功能?</h2>
+
+<p>有些APIs是非常强大的, 能给攻击者更强的能力以及更多的操作:</p>
+
+<ul>
+ <li>侵犯用户隐私.</li>
+ <li>获得对用户计算机的低级访问权限.</li>
+ <li>获得对数据的访问权限,例如用户凭证.</li>
+</ul>
+
+<h2 id="When_is_a_context_considered_secure">When is a context considered secure?</h2>
+
+<p>A context is considered secure when it meets certain minimum standards of authentication and confidentiality defined in the <a href="https://w3c.github.io/webappsec-secure-contexts/">Secure Contexts</a> specification. A particular document is considered to be in a secure context when it is the <a href="https://html.spec.whatwg.org/multipage/browsers.html#active-document">active document</a> of a <a href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context">top-level browsing context</a> (basically, a containing window or tab) that is a secure context.</p>
+
+<p>For example, even for a document delivered over TLS within an {{HTMLElement("iframe")}}, its context is <strong>not</strong> considered secure if it has an ancestor that was not also delivered over TLS.</p>
+
+<p>However, it’s important to note that if a non-secure context causes a new window to be created (with or without specifying <a href="/en-US/docs/Web/API/Window/open#noopener">noopener</a>), then the fact that the opener was insecure has no effect on whether the new window is considered secure. That’s because the determination of whether or not a particular document is in a secure context is based only on considering it within the top-level browsing context with which it is associated — and not whether a non-secure context happened to be used to create it.</p>
+
+<p>Locally-delivered resources such as those with <em>http://127.0.0.1</em> URLs, <em>http://localhost</em> URLs (under certain conditions), and <em>file://</em> URLs are also considered to have been delivered securely.</p>
+
+<p>Resources that are not local, to be considered secure, must meet the following criteria:</p>
+
+<ul>
+ <li>must be served over <em>https://</em> or <em>wss://</em> URLs</li>
+ <li>the security properties of the network channel used to deliver the resource must not be considered deprecated</li>
+</ul>
+
+<h2 id="Feature_detection">Feature detection</h2>
+
+<p>Pages can use feature detection to check whether they are in a secure context or not by using the {{domxref("WindowOrWorkerGlobalScope.isSecureContext", "isSecureContext")}} boolean, which is exposed on the global scope.</p>
+
+<pre class="brush: js notranslate">if (window.isSecureContext) {
+ // Page is a secure context so service workers are now available
+ navigator.serviceWorker.register("/offline-worker.js").then(function () {
+ ...
+ });
+}</pre>
+
+<h2 id="Specifications">Specifications</h2>
+
+<table class="standard-table">
+ <tbody>
+ <tr>
+ <td>Specification</td>
+ <td>Status</td>
+ <td>Comment</td>
+ </tr>
+ <tr>
+ <td>{{SpecName('Secure Contexts')}}</td>
+ <td>{{Spec2('Secure Contexts')}}</td>
+ <td>Editor’s Draft</td>
+ </tr>
+ </tbody>
+</table>
+
+<h2 id="See_also">See also</h2>
+
+<ul>
+ <li><a href="/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts">Platform features restricted to secure contexts</a> — a list of the features available only in secure contexts</li>
+ <li>{{domxref("Window.isSecureContext")}}</li>
+ <li><a href="https://permission.site">https://permission.site</a> — A site that allows you to check what API permission checks your browser employs, over HTTP and HTTPS</li>
+ <li><a href="/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security">Strict-Transport-Security</a> HTTP header</li>
+</ul>
+
+<div>{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}</div>