W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Mixed Content Spec feedback

From: David Walp <David.Walp@microsoft.com>
Date: Wed, 2 Jul 2014 02:43:42 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <6f2333daa0524303a2794895d6e7f2b9@BLUSR01MB589.namsdf01.sdf.exchangelabs.com>
Hi,

Per my action item from the last conference call, here is Microsoft's 
feedback on the Mixed Content specification.

Generally Microsoft is supportive of publishing the Mixed Content draft 
as a FPWD. We do have one area of concern with the draft.  We've heard 
from customers that would like to play unsecure media segments from 
within a secure web page largely for performance reasons, and also that 
hosted media can present mixed content scenarios even if the media site 
alone doesn't.  These media segments are retrieved as arraybuffer types
via XHR and played back via MSE or EME. The current proposal would
prevent this from happening.

To address this use case we would propose that "arraybuffer" response
types be categorized as "Optionally-blockable passive content".
Although there are methods to pass non-media content through an
array buffer, we think the both server and client would need to
participate (agree in the encoding) in order to use an arraybuffer as a
security hole.  Because both sides would need to be complicit, the
exploitable surface area seems acceptable.

Cheers,
_dave_
Received on Wednesday, 2 July 2014 12:27:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC