Re: CSP: non-TLS scheme restrictions must allow TLS-enabled schemes automatically

mån 2011-06-27 klockan 09:14 +0100 skrev Gervase Markham:

> Isn't there a risk here? HTTP vhosting exists, but TLS vhosting does not
> (really) yet. So the owner of the website which is at
> http://www.foo.com/ might find that accessing https://www.foo.com/
> actually gives them the HTML content of https://www.bar.com/, which is
> hosted on the same machine, but controlled by someone else entirely.

Yes there is a risk. Today the risk is fairly minimal with most sites
using https having their own IPv4 address not shared by third party http
sites, but the risk is likely to increase in future as IPv4 adresses
becomes more scarse.

However, in this case the risk is easily mitigated by simply making sure
https vhosting is enabled when running https on an IP vhere http
vhosting is enabled.

Note: A similar but different risk exists in the same-origin policy of
Java/Flash sandboxes, where the applet can access any service on the
same IP, which means any vhost on that IP.

Regards
Henrik

Received on Monday, 27 June 2011 15:55:09 UTC