W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

RE: Using CSP

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 26 Jul 2011 10:58:15 -0600
To: Boris Zbarsky <bzbarsky@MIT.EDU>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <213E0EC97FE58F469BB618245B3118BB550CB2A7A4@DEN-MEXMS-001.corp.ebay.com>
The threat is that the secure content will be spoofed, but there are plenty of common use cases for this, where the content of the HTTPS iframe has a very low risk of spoofing.  For example, a personalized "Like", "+1", or "Pay" button.  

These buttons likely originate at an HTTPS only site, but are commonly embedded in HTTP content.  If the framing site or a MITM substitutes these for a fake button, there's little or nothing for the attacker to gain.  There is little need for user trust, too, as the actions performed by such buttons can be validated by a back-channel between the framing and framed applications, or they send the user to a full HTTPS page that has normal security indicators.

-Brad

(there is some increased risk of clickjacking but that's an orthogonal threat that is addressed by different specs and technology)

-----Original Message-----
From: public-web-security-request@w3.org [mailto:public-web-security-request@w3.org] On Behalf Of Boris Zbarsky
Sent: Tuesday, July 26, 2011 9:42 AM
To: public-web-security@w3.org
Subject: Re: Using CSP

On 7/26/11 6:27 AM, Nick Gearls wrote:
> However, if you have a HTTPS frame inside your HTTP page

Why would you do that?  And, importantly, why should the user trust anything about the result?

This seems like an antipattern that we don't really want to promote...

-Boris
Received on Tuesday, 26 July 2011 16:58:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 26 July 2011 16:58:44 GMT