Flesh out spec #114
Flesh out spec #114
Conversation
| @@ -206,19 +201,25 @@ A <dfn>device bound session</dfn> is a [=struct=] with the following | |||
| :: a [=string=] that is to be used as the next challenge for this session | |||
| : [=session scope=] | |||
| :: a [=struct=] defining which [=url=]'s' are in scope for this session | |||
| : [=session credential=] | |||
| :: a [=list=] of [=session credential=] used by the session | |||
| : [=session credentials=] | |||
There was a problem hiding this comment.
I don't know much about this, but: is [=session credentials=] allowed here, when the dfn is actually for the singular version? ("session credential")
Same question for [=scope specifications=] below.
There was a problem hiding this comment.
What I think I'm doing here is defining a field "session credentials" with type "list of session credential". But I'm not an expert in the notation here either.
spec.bs
Outdated
|
|
||
| 1. If [=session scope=] sets |include site|, return whether [=url=] is | ||
| same-site with the scope origin. | ||
| 1. Return whether [=url=] is same origin with the scopep origin. |
There was a problem hiding this comment.
| 1. Return whether [=url=] is same origin with the scopep origin. | |
| 1. Return whether [=url=] is same origin with the scope origin. |
| return the |scope specification|'s type. | ||
| 1. If the [=url=] matches the |session|'s refresh URL, return false. | ||
|
|
||
| 1. If [=session scope=] sets |include site|, return whether [=url=] is |
There was a problem hiding this comment.
The dfn calls it include_site. Should we have it match here?
| 1. If [=session scope=] sets |include site|, return whether [=url=] is | |
| 1. If [=session scope=] sets |include_site|, return whether [=url=] is |
There was a problem hiding this comment.
Made the dfn include site, since most places seem to use distinct words rather than underscores.
| 1. If the [=session scope=] origin is the eTLD+1 and the [=url=] is | ||
| not same-site with the eTLD+1, return false. | ||
| 1. [=list/for each=] |scope specification| in the |session scope| | ||
| 1. If the host and path of [=url=] match the |scope specification|, |
There was a problem hiding this comment.
Feel free to do this in a separate PR -- I think we should clarify what it means to match the scope specification, since it doesn't have to be an exact match host-to-host + path-to-path.
There was a problem hiding this comment.
Yeah I think that's a good followup. I'm hoping I can just reference somewhere else, given that the Chrome implementation is using a very standard helper function.
spec.bs
Outdated
| requesting excessive TPM operations (harming the user) or the | ||
| refresh endpoint has recently been unreachable (denial of service | ||
| risk for the site). | ||
| 1. Run the steps in [=evaluate session scope=] on the |request|'s URL |
There was a problem hiding this comment.
I'm not seeing evaluate session scope in the spec. Should this be something different? (Or are we missing a dfn maybe?)
There was a problem hiding this comment.
Thanks, yep. I meant url-in-scope.
spec.bs
Outdated
| <div class="algorithm" data-algorithm="session-request"> | ||
| This algorithm describes how to <dfn export dnf-for="algorithms">send | ||
| a request</dfn> for a device bound session registration or refresh. It | ||
| takes as input a |originating request|, |key pair|, |destination|, and |
There was a problem hiding this comment.
| takes as input a |originating request|, |key pair|, |destination|, and | |
| takes as input an |originating request|, |key pair|, |destination|, and |
spec.bs
Outdated
| 1. If |signed challenge| is non-null, add header "Sec-Session-Response" with | ||
| value |signed challenge| to |request|. | ||
| 1. Set |request|'s initiator to |originating request|'s initiator. | ||
| 1. Run HTTP-network-or cache fetch on |request|. |
There was a problem hiding this comment.
| 1. Run HTTP-network-or cache fetch on |request|. | |
| 1. Run HTTP-network-or-cache fetch on |request|. |
| 1. [=session identifier=] the value of "session_identifier". | ||
| 1. [=refresh url=] set to |refresh url|. | ||
| 1. [=defer requests=] set to true. | ||
| 1. [=session scope=] a new scope with [=origin=] |origin|, [=include |
There was a problem hiding this comment.
Same comment about include_site rather than include site here
drubery
force-pushed
the
spec_updates
branch
2 times, most recently
from
acd996f to
32cc06b
Compare
This adds a lot more detail to the spec. It's still not fully complete and explicit, but at this point it should be a better reference than the explainer.
SHA: 438eb4d Reason: push, by drubery Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This adds a lot more detail to the spec. It's still not fully complete and explicit, but at this point it should be a better reference than the explainer.