- From: Collin Jackson <collinj@cs.stanford.edu>
- Date: Mon, 25 Feb 2008 23:20:34 -0800
- To: "Anne van Kesteren" <annevk@opera.com>, "Adam Barth" <abarth@cs.stanford.edu>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
It would be helpful to include some discussion of mixed content handling for cross-site requests, perhaps in the Security Considerations section. Mixed content warnings are typically issued by browsers when an HTTPS page issues a request for some non-HTTPS content, e.g. <script src="http://some.site/foo.js"></script>. When a web site tries to make a cross-site XMLHttpRequest from an HTTPS page to a non-HTTPS page, several user agent behaviors are possible: 1) Block the request 2) Treat the request as "mixed content" and display a warning in the user interface if appropriate 3) Allow the request If the site is careless, non-HTTPS requests could compromise the integrity of the user's session. For example, a site could make a cross-site XMLHttpRequest to itself over a plain HTTP connection and inject that content into its page without validating it. However, certain types of non-HTTPS requests may be safe for HTTPS pages. For example, if the site is already doing client-side hashing to verify the integrity of the received content, it may be safe and efficient to make the request over plain HTTP instead of HTTPS. Currently, Firefox seems to be implementing (3). Is this behavior by design? Do other implementors plan to match this behavior?
Received on Tuesday, 26 February 2008 07:20:53 UTC