- From: Jim Manico <jim.manico@owasp.org>
- Date: Sun, 22 Nov 2015 14:43:33 -0600
- To: Simon Brown <mail@simonandrewbrown.co.uk>, public-webappsec@w3.org
- Message-ID: <565228F5.3030902@owasp.org>
> ...even though there are other secure origins, such as localhost This might be a bit tangential, but I see secure minded browsers moving to block access to localhost for a variety of reasons... https://code.google.com/p/chromium/issues/detail?id=378566 - Jim On 11/21/15 8:31 AM, Simon Brown wrote: > Currently most browsers only show the padlock icon on HTTPS sites, > even though there are other secure origins, such as localhost. I > propose that browsers start showing the padlock icon for other secure > origins, providing there isn’t a security problem, such as an invalid > certificate on a HTTP site or content from an insecure origin. This > would: > > 1. Make it easier for users to ascertain whether an origin is secure. > Currently secure localhost and insecure HTTP have the same indicators. > 2. Increase the perceived normality of the padlock signal, making > insecure origins stand out more. > 3. Make it more obvious to developers when they are able to use > features that are restricted to secure origins. > https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features > 4. Make the transition to marking insecure origins as non-secure more > straightforward. > https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure -- Jim Manico Global Board Member OWASP Foundation https://www.owasp.org
Received on Sunday, 22 November 2015 20:44:04 UTC