Re: [MIX] Consider all CORS requests "active"

On Thu, Jul 10, 2014 at 4:08 AM, Jake Archibald <jaffathecake@gmail.com> wrote:
> http://w3c.github.io/webappsec/specs/mixedcontent/#requirements-script
>
> Currently, XHR & EventSource specifically fail when requesting insecure
> content. This could be replaced with a general rule that CORS checks to HTTP
> always fail. This also covers usually passive content that becomes active
> via CORS, eg <img crossorigin>.

I caution against trying to define "active." Instead, I suggest that
we define "passive" and assume everything else is active. Perhaps the
definition of "passive" can be as simple as "<img> without the
crossorigin attribute."

> This means font requests to http would also fail, they could be given an
> exception if needed.

All mixed content font requests should always fail.

> In ServiceWorker, this means:
>
> importScripts('http://...'); - fails
> fetch('http://...'); - fails
> cache.add('http://...'); - fails
>
> …as they're all CORS dependant.

Anything mixed-content with ServiceWorker should always fail, because
ServiceWorker would fall under the rule "mixed content is forbidden
from anything new we add to the web platform." This would include, in
particular, even <img> requests handled by a ServiceWorker.

> fetch('http://...', {mode: 'no-cors'});
> cache.add(new Request('http://...', {mode: 'no-cors'}));
>
> …these will give back a tainted response. Usual rules can apply if they're
> used to satisfy requests to <script>, <img> etc.

Again, fetch and cache.add should never work when given "http://" URLs
on a HTTPS page.

Cheers,
Brian

Received on Thursday, 10 July 2014 17:35:55 UTC