- From: Chris Palmer <palmer@google.com>
- Date: Tue, 2 Sep 2014 14:15:48 -0700
- To: Jeffrey Yasskin <jyasskin@google.com>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On Thu, Aug 28, 2014 at 9:14 AM, Jeffrey Yasskin <jyasskin@google.com> wrote: > Since an origin is just (uri-scheme, uri-host, uri-port)--effectively a > string--but insecurity and authentication in MIX change based on > whether "the user agent discovers only after performing a > TLS-handshake that the TLS-protection offered is either weak or > deprecated", I'm not sure it's appropriate to talk about authenticated > or insecure "origins". I think it's the _resource_ that becomes > insecure if it turns out to have been transferred over a TLS-deficient > connection. But if that resource was code, it can poison the whole origin on an on-going basis; if the resource was passive content, it can still cause a lot of trouble (e.g. mixed image content changing the meaning of the UI for an otherwise secure origin). So, the boundary between the terms "origin", "resource", and "total history of resources downloaded and rendered/executed in the context of an origin" are fuzzy...
Received on Tuesday, 2 September 2014 21:16:15 UTC