Re: CSP: non-TLS scheme restrictions must allow TLS-enabled schemes automatically from Brian Smith on 2011-06-27 (public-web-security@w3.org from June 2011)

From: Brian Smith <bsmith@mozilla.com>
Date: Mon, 27 Jun 2011 11:39:02 -0700 (PDT)
To: Adam Barth <w3c@adambarth.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org, Gervase Markham <gerv@mozilla.org>
Message-ID: <652558083.349505.1309199942490.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>

Adam Barth wrote:
> Maybe the better solution is to remove the ability to specify the
> "http" scheme? The site can explain which host names it likes. Over
> "http", these hosts names mean http or https and over "https" they
> mean just https.

That is more elegant, but it would mean that a document delivered over HTTP(S) could never have any non-HTTP(s) subresources. In particular, what about ftp(s):// resources? Also, I am not sure it is a good idea to drop the ability for a page delivered over (non-TLS) HTTP to restrict certain kinds of subresources (e.g. scripts or objects) to being loaded over HTTPS.

- Brian

Received on Monday, 27 June 2011 18:39:36 UTC