安全上下文是 Window 与 Worker 中的概念满足了最低标准的身份验证和机密性. 许多Web APIs的访问仅能在安全上下文中. 安全上下文的主要目标是防止 {{interwiki("wikipedia", "man-in-the-middle attack", "MITM attackers")}} 强大的APIs被坏人利用.
有些APIs是非常强大的, 能给攻击者更强的能力以及更多的操作:
A context is considered secure when it meets certain minimum standards of authentication and confidentiality defined in the Secure Contexts specification. A particular document is considered to be in a secure context when it is the active document of a top-level browsing context (basically, a containing window or tab) that is a secure context.
For example, even for a document delivered over TLS within an {{HTMLElement("iframe")}}, its context is not considered secure if it has an ancestor that was not also delivered over TLS.
However, it’s important to note that if a non-secure context causes a new window to be created (with or without specifying noopener), then the fact that the opener was insecure has no effect on whether the new window is considered secure. That’s because the determination of whether or not a particular document is in a secure context is based only on considering it within the top-level browsing context with which it is associated — and not whether a non-secure context happened to be used to create it.
Locally-delivered resources such as those with http://127.0.0.1 URLs, http://localhost URLs (under certain conditions), and file:// URLs are also considered to have been delivered securely.
Resources that are not local, to be considered secure, must meet the following criteria:
Pages can use feature detection to check whether they are in a secure context or not by using the {{domxref("WindowOrWorkerGlobalScope.isSecureContext", "isSecureContext")}} boolean, which is exposed on the global scope.
if (window.isSecureContext) {
// Page is a secure context so service workers are now available
navigator.serviceWorker.register("/offline-worker.js").then(function () {
...
});
}
| Specification | Status | Comment |
| {{SpecName('Secure Contexts')}} | {{Spec2('Secure Contexts')}} | Editor’s Draft |