Re: Mixed Content Spec feedback

On Wed, Jul 2, 2014 at 4:43 AM, David Walp <David.Walp@microsoft.com> wrote:
> To address this use case we would propose that "arraybuffer" response
> types be categorized as "Optionally-blockable passive content".
> Although there are methods to pass non-media content through an
> array buffer, we think the both server and client would need to
> participate (agree in the encoding) in order to use an arraybuffer as a
> security hole.  Because both sides would need to be complicit, the
> exploitable surface area seems acceptable.

Wait what? ArrayBuffer encompasses everything. If you allow
ArrayBuffer you might as well allow the rest too. That's not helping.
Besides, it's already demonstrated that XMLHttpRequest can be blocked
(yay us) and that media sites, such as YouTube, can run over TLS.


-- 
http://annevankesteren.nl/

Received on Wednesday, 2 July 2014 12:33:09 UTC