- From: Frederik Creemers <frederikcreemers@gmail.com>
- Date: Mon, 23 May 2016 20:32:37 +0200
- To: public-webappsec@w3.org
- Message-ID: <CAJA=sDSsmt9UHzht=-aK_y6U3jt3ccS-_QVBwVccb5B583uk+Q@mail.gmail.com>
Dear all, I'm currently building a web application for listening to podcasts, and would like to serve it over HTTPS. However, I have no control over the servers that serve the actual audio/video files, frequently leading to mixed-content warnings. I'm wondering if subresource integrity could resolve some or all of these. If my site is served over HTTPS, the checksums cannot be tampered with, so if someone were to do a MITM attack on the connection to a media server, the checksum would fail. I'm aware that this only gives us the MITM resistance, and not the authentication and encryption offered by a fully HTTPS protected website. I'm also aware that my server then somehow needs to connect to the media server and calculate the checksum, and that a MITM attack could be performed there. But I really feel the need for a solution to include non HTTPS content on HTTPS pages, especially non-executable content like images, audio and video. I don't often read W3C mailing lists, so I hope I'm posting this in the right place. Best regards, Frederik
Received on Monday, 23 May 2016 18:33:06 UTC