W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: Mixed Content Spec feedback

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 02 Jul 2014 13:47:15 -0400
Message-ID: <53B445A3.1070104@fifthhorseman.net>
To: David Walp <David.Walp@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi David--

On 07/01/2014 10:43 PM, David Walp wrote:

> To address this use case we would propose that "arraybuffer" response
> types be categorized as "Optionally-blockable passive content".
> Although there are methods to pass non-media content through an
> array buffer, we think the both server and client would need to
> participate (agree in the encoding) in order to use an arraybuffer as a
> security hole.  Because both sides would need to be complicit, the
> exploitable surface area seems acceptable.

I don't think this follows.  If the media traffic itself (or other parts
of the XHR) is not protected by TLS, then it is *not* the case that both
sides need to be complicit, since either of the parties could be
replaced by an undetectable MITM for the cleartext traffic.

It's possible that i'm not understanding your proposal properly, though;
please correct me if i've missed something!

Regards,

	--dkg


Received on Wednesday, 2 July 2014 17:47:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC