W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: Mixed Content Spec feedback

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 2 Jul 2014 14:32:42 +0200
Message-ID: <CADnb78h+Fw7LL+hEcNVVhfdRekLAkm6_hEH1V6W1YdkUs9SAGw@mail.gmail.com>
To: David Walp <David.Walp@microsoft.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 2, 2014 at 4:43 AM, David Walp <David.Walp@microsoft.com> wrote:
> To address this use case we would propose that "arraybuffer" response
> types be categorized as "Optionally-blockable passive content".
> Although there are methods to pass non-media content through an
> array buffer, we think the both server and client would need to
> participate (agree in the encoding) in order to use an arraybuffer as a
> security hole.  Because both sides would need to be complicit, the
> exploitable surface area seems acceptable.

Wait what? ArrayBuffer encompasses everything. If you allow
ArrayBuffer you might as well allow the rest too. That's not helping.
Besides, it's already demonstrated that XMLHttpRequest can be blocked
(yay us) and that media sites, such as YouTube, can run over TLS.

Received on Wednesday, 2 July 2014 12:33:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC