W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP: non-TLS scheme restrictions must allow TLS-enabled schemes automatically

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Mon, 27 Jun 2011 17:54:24 +0200
To: Gervase Markham <gerv@mozilla.org>
Cc: public-web-security@w3.org
Message-ID: <1309190064.12768.12.camel@henriknordstrom.net>
mån 2011-06-27 klockan 09:14 +0100 skrev Gervase Markham:

> Isn't there a risk here? HTTP vhosting exists, but TLS vhosting does not
> (really) yet. So the owner of the website which is at
> http://www.foo.com/ might find that accessing https://www.foo.com/
> actually gives them the HTML content of https://www.bar.com/, which is
> hosted on the same machine, but controlled by someone else entirely.

Yes there is a risk. Today the risk is fairly minimal with most sites
using https having their own IPv4 address not shared by third party http
sites, but the risk is likely to increase in future as IPv4 adresses
becomes more scarse.

However, in this case the risk is easily mitigated by simply making sure
https vhosting is enabled when running https on an IP vhere http
vhosting is enabled.

Note: A similar but different risk exists in the same-origin policy of
Java/Flash sandboxes, where the applet can access any service on the
same IP, which means any vhost on that IP.

Regards
Henrik
Received on Monday, 27 June 2011 15:55:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 June 2011 15:55:10 GMT