- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 17 Dec 2009 22:46:11 -0800
- To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
- Cc: W3C Web Security Interest Group <public-web-security@w3.org>, Eric Lawrence <ericlaw@exchange.microsoft.com>
On Wed, Dec 16, 2009 at 10:49 AM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote: > I've extracted the "mixed content" (aka "mixed http/https-conveyed content", > aka "mixed security origins") stuff from Adam's reply to EricLaw's feedback. Some additional thoughts: 1) In talking to web developers, they seems more willing to deploy STS if they can use some kinds of mixed content on their site. Examples: A) Gmail wants to load insecure images embedded in email (in some circumstances). B) Sites that embed YouTube videos have to do so over HTTP because YouTube doesn't stream video over HTTPS. 2) There are really two kinds of HTTP content in HTTPS pages: active content and passive content. Examples: A) Script, CSS, plug-ins are active content because they can either completely control the page (script) or have a lot of control over the page (CSS). B) Iframes and images are passive content because their influence is contained to changing the appearance of a particular part of the screen. Notice that the folks who want to include HTTP content in their HTTPS sites want to include *passive* content. The YouTube case is slightly subtle. Basically, you can make YouTube videos passive by load an HTTP iframe that loads the YouTube video. Recommendation: If we want to block mixed content with STS, we should block *active* content. This strikes a balance between the security benefits of banishing mixed content and the deployability benefits of letting sites implement the features they need. (I'd probably define active content as everything except iframes, images, video, and audio.) Thoughts? Adam
Received on Friday, 18 December 2009 06:47:05 UTC