W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [MIX] Consider all CORS requests "active"

From: Glenn Adams <glenn@skynav.com>
Date: Thu, 10 Jul 2014 13:40:05 -0600
Message-ID: <CACQ=j+fdHF0z8fwhwRhk6Bt2gQqUwM9daGynTZWtY62LUYqxSA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Jake Archibald <jaffathecake@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jul 10, 2014 at 11:35 AM, Brian Smith <brian@briansmith.org> wrote:

> On Thu, Jul 10, 2014 at 4:08 AM, Jake Archibald <jaffathecake@gmail.com>
> wrote:
> > http://w3c.github.io/webappsec/specs/mixedcontent/#requirements-script
> >
> > Currently, XHR & EventSource specifically fail when requesting insecure
> > content. This could be replaced with a general rule that CORS checks to
> HTTP
> > always fail. This also covers usually passive content that becomes active
> > via CORS, eg <img crossorigin>.
>
> I caution against trying to define "active." Instead, I suggest that
> we define "passive" and assume everything else is active. Perhaps the
> definition of "passive" can be as simple as "<img> without the
> crossorigin attribute."
>

IMO using the words active/passive are just inviting trouble. I would
suggest choosing an alternate set of terms that are given a definition in
the context of this document.


>
> > This means font requests to http would also fail, they could be given an
> > exception if needed.
>
> All mixed content font requests should always fail.
>
> > In ServiceWorker, this means:
> >
> > importScripts('http://...'); - fails
> > fetch('http://...'); - fails
> > cache.add('http://...'); - fails
> >
> > …as they're all CORS dependant.
>
> Anything mixed-content with ServiceWorker should always fail, because
> ServiceWorker would fall under the rule "mixed content is forbidden
> from anything new we add to the web platform." This would include, in
> particular, even <img> requests handled by a ServiceWorker.
>
> > fetch('http://...', {mode: 'no-cors'});
> > cache.add(new Request('http://...', {mode: 'no-cors'}));
> >
> > …these will give back a tainted response. Usual rules can apply if
> they're
> > used to satisfy requests to <script>, <img> etc.
>
> Again, fetch and cache.add should never work when given "http://" URLs
> on a HTTPS page.
>
> Cheers,
> Brian
>
>
Received on Thursday, 10 July 2014 19:40:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC