W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: STS and "mixed content" (Part 3 of Re: Feedback on the Strict-Transport-Security specification)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 17 Dec 2009 22:46:11 -0800
Message-ID: <7789133a0912172246r73250130h6b5417ad81eca35e@mail.gmail.com>
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: W3C Web Security Interest Group <public-web-security@w3.org>, Eric Lawrence <ericlaw@exchange.microsoft.com>
On Wed, Dec 16, 2009 at 10:49 AM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> I've extracted the "mixed content" (aka "mixed http/https-conveyed content",
> aka "mixed security origins") stuff from Adam's reply to EricLaw's feedback.

Some additional thoughts:

1) In talking to web developers, they seems more willing to deploy STS
if they can use some kinds of mixed content on their site.  Examples:
  A) Gmail wants to load insecure images embedded in email (in some
circumstances).
  B) Sites that embed YouTube videos have to do so over HTTP because
YouTube doesn't stream video over HTTPS.

2) There are really two kinds of HTTP content in HTTPS pages: active
content and passive content.  Examples:
  A) Script, CSS, plug-ins are active content because they can either
completely control the page (script) or have a lot of control over the
page (CSS).
  B) Iframes and images are passive content because their influence is
contained to changing the appearance of a particular part of the
screen.

Notice that the folks who want to include HTTP content in their HTTPS
sites want to include *passive* content.  The YouTube case is slightly
subtle.  Basically, you can make YouTube videos passive by load an
HTTP iframe that loads the YouTube video.

Recommendation: If we want to block mixed content with STS, we should
block *active* content.  This strikes a balance between the security
benefits of banishing mixed content and the deployability benefits of
letting sites implement the features they need.  (I'd probably define
active content as everything except iframes, images, video, and
audio.)

Thoughts?

Adam
Received on Friday, 18 December 2009 06:47:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT