Re: CSP: non-TLS scheme restrictions must allow TLS-enabled schemes automatically

> Isn't there a risk here? HTTP vhosting exists, but TLS vhosting does not
> (really) yet. So the owner of the website which is at
> might find that accessing
> actually gives them the HTML content of, which is
> hosted on the same machine, but controlled by someone else entirely.

Wouldn't this throw a certificate error (and with HSTS, die without warning) ?


> So if the owner of found an XSS hole in, they could
> inject links to "", which would be CSP-allowed, and
> yet would return content under his control. (Albeit with certificate
> mismatch errors.)
> Is this risk basically just theoretical, or worth considering?
> Gerv

Received on Monday, 27 June 2011 17:44:15 UTC