diff options
author | Peter Bengtsson <mail@peterbe.com> | 2020-12-08 14:40:17 -0500 |
---|---|---|
committer | Peter Bengtsson <mail@peterbe.com> | 2020-12-08 14:40:17 -0500 |
commit | 33058f2b292b3a581333bdfb21b8f671898c5060 (patch) | |
tree | 51c3e392513ec574331b2d3f85c394445ea803c6 /files/zh-cn/web/security/secure_contexts | |
parent | 8b66d724f7caf0157093fb09cfec8fbd0c6ad50a (diff) | |
download | translated-content-33058f2b292b3a581333bdfb21b8f671898c5060.tar.gz translated-content-33058f2b292b3a581333bdfb21b8f671898c5060.tar.bz2 translated-content-33058f2b292b3a581333bdfb21b8f671898c5060.zip |
initial commit
Diffstat (limited to 'files/zh-cn/web/security/secure_contexts')
-rw-r--r-- | files/zh-cn/web/security/secure_contexts/index.html | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/files/zh-cn/web/security/secure_contexts/index.html b/files/zh-cn/web/security/secure_contexts/index.html new file mode 100644 index 0000000000..d658bbb4a0 --- /dev/null +++ b/files/zh-cn/web/security/secure_contexts/index.html @@ -0,0 +1,72 @@ +--- +title: Secure contexts +slug: Web/Security/Secure_Contexts +translation_of: Web/Security/Secure_Contexts +--- +<p><span class="seoSummary"><strong>安全上下文</strong>是 <code>Window</code> 与 <code>Worker</code> 中的概念</span>满足了最低标准的身份验证和机密性<span class="seoSummary">.</span> 许多Web APIs的访问仅能在安全上下文中. 安全上下文的主要目标是防止 {{interwiki("wikipedia", "man-in-the-middle attack", "MITM attackers")}} 强大的APIs被坏人利用.</p> + +<h2 id="为什么要限制某些功能">为什么要限制某些功能?</h2> + +<p>有些APIs是非常强大的, 能给攻击者更强的能力以及更多的操作:</p> + +<ul> + <li>侵犯用户隐私.</li> + <li>获得对用户计算机的低级访问权限.</li> + <li>获得对数据的访问权限,例如用户凭证.</li> +</ul> + +<h2 id="When_is_a_context_considered_secure">When is a context considered secure?</h2> + +<p>A context is considered secure when it meets certain minimum standards of authentication and confidentiality defined in the <a href="https://w3c.github.io/webappsec-secure-contexts/">Secure Contexts</a> specification. A particular document is considered to be in a secure context when it is the <a href="https://html.spec.whatwg.org/multipage/browsers.html#active-document">active document</a> of a <a href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context">top-level browsing context</a> (basically, a containing window or tab) that is a secure context.</p> + +<p>For example, even for a document delivered over TLS within an {{HTMLElement("iframe")}}, its context is <strong>not</strong> considered secure if it has an ancestor that was not also delivered over TLS.</p> + +<p>However, it’s important to note that if a non-secure context causes a new window to be created (with or without specifying <a href="/en-US/docs/Web/API/Window/open#noopener">noopener</a>), then the fact that the opener was insecure has no effect on whether the new window is considered secure. That’s because the determination of whether or not a particular document is in a secure context is based only on considering it within the top-level browsing context with which it is associated — and not whether a non-secure context happened to be used to create it.</p> + +<p>Locally-delivered resources such as those with <em>http://127.0.0.1</em> URLs, <em>http://localhost</em> URLs (under certain conditions), and <em>file://</em> URLs are also considered to have been delivered securely.</p> + +<p>Resources that are not local, to be considered secure, must meet the following criteria:</p> + +<ul> + <li>must be served over <em>https://</em> or <em>wss://</em> URLs</li> + <li>the security properties of the network channel used to deliver the resource must not be considered deprecated</li> +</ul> + +<h2 id="Feature_detection">Feature detection</h2> + +<p>Pages can use feature detection to check whether they are in a secure context or not by using the {{domxref("WindowOrWorkerGlobalScope.isSecureContext", "isSecureContext")}} boolean, which is exposed on the global scope.</p> + +<pre class="brush: js notranslate">if (window.isSecureContext) { + // Page is a secure context so service workers are now available + navigator.serviceWorker.register("/offline-worker.js").then(function () { + ... + }); +}</pre> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <tbody> + <tr> + <td>Specification</td> + <td>Status</td> + <td>Comment</td> + </tr> + <tr> + <td>{{SpecName('Secure Contexts')}}</td> + <td>{{Spec2('Secure Contexts')}}</td> + <td>Editor’s Draft</td> + </tr> + </tbody> +</table> + +<h2 id="See_also">See also</h2> + +<ul> + <li><a href="/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts">Platform features restricted to secure contexts</a> — a list of the features available only in secure contexts</li> + <li>{{domxref("Window.isSecureContext")}}</li> + <li><a href="https://permission.site">https://permission.site</a> — A site that allows you to check what API permission checks your browser employs, over HTTP and HTTPS</li> + <li><a href="/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security">Strict-Transport-Security</a> HTTP header</li> +</ul> + +<div>{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}</div> |