- From: Roland Zink <roland@zinks.de>
- Date: Fri, 20 Jun 2014 11:48:38 +0200
- To: ietf-http-wg@w3.org
- Message-ID: <53A40376.3070406@zinks.de>
On 19.06.2014 21:33, William Chan (ιζΊζ) wrote: > > The need to trust a third party is definitely a problem for content > authors today. This is one use case for the Subresource Integrity > proposal: http://www.w3.org/TR/2014/WD-SRI-20140318/#resource-integrity-1. > > That said, I do not agree with your assertion that referencing content > from a third party is equivalent to being willing to trust a proxy. I > am frankly surprised to hear such a statement. Does anyone else agree > with this? > Don't think you can be sure what active content will do and it has access to decrypted content. > And you can argue you trust the third party more than the proxy, but > that's *your* opinion not necessarily the opinion of your users so the > transitive trust issue was opened up the moment js hosting was > delegated > to a third party. Current browser UI does not inform users that > when they > visit nicecite.com <http://nicecite.com> they're really executing > monitoring.js from > bigbrother.com <http://bigbrother.com>. > > +1 > > The nice thing about proxying is that is exposes all the trust issues > caused by mashing up resources without thinking about the security > aspects, instead of burying them in the browser cache where no one > thinks > to look before it's too late. > > -- > Nicolas Mailhot > >
Received on Friday, 20 June 2014 09:49:18 UTC