Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Brad Hill on 2015-01-05 (public-webappsec@w3.org from January 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 05 Jan 2015 23:06:05 +0000
To: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>
Cc: Chris Palmer <palmer@google.com>, Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8iLyk9HtLygtJG=FXMdfY3ci=X=zgTLGQATA5NrrKjuDg@mail.gmail.com>

>
>
>> FWIW, if all the resources retrieved over HTTP were protected with
> sub-resource-integrity, then I think you have lost only some
> confidentiality and you still have integrity and authenticity.
>
>>
>>
Unfortunately, it is worth very little.  The motivating use case here is
the the ability to pull in arbitrary open data for use in mashups, so the
application cannot reasonably know in advance a secure digest value of the
content and any plausibly secure way to provide this metadata assumes much
more competence and effort on the part of the data providers than merely
offering the same resources over https.

Received on Monday, 5 January 2015 23:06:33 UTC