Re: [packaging-on-the-web] Is it safe to deploy over plain-text HTTP? (#19) from Yoav Weiss on 2015-01-10 (public-webapps-github@w3.org from January 2015)

From: Yoav Weiss <notifications@github.com>
Date: Sat, 10 Jan 2015 01:07:20 -0800
To: w3ctag/packaging-on-the-web <packaging-on-the-web@noreply.github.com>
Cc: WebApps WG <public-webapps-github@w3.org>
Message-ID: <w3ctag/packaging-on-the-web/issues/19/69449264@github.com>

Specifically what worries me is the package's ability to populate caches for URLs that the user has not (yet?) requested, and poison the user's cache.

I'm not sure there's a vulnerability there beyond MITMing simple HTTP traffic, but I think it's a point worth addressing, and getting a proper security review on. 

---
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/packaging-on-the-web/issues/19#issuecomment-69449264

Received on Saturday, 10 January 2015 09:07:46 UTC