Re: [MIX] Consider all CORS requests "active" from Brian Smith on 2014-07-22 (public-webappsec@w3.org from July 2014)

From: Brian Smith <brian@briansmith.org>
Date: Tue, 22 Jul 2014 00:00:28 -0700
To: Jake Archibald <jaffathecake@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt7X9fEKGa4M-tZW2xF3WEOMTuVZonXx1u8XUp3G-CMEeg@mail.gmail.com>

>n Fri, Jul 11, 2014 at 3:21 AM, Jake Archibald <jaffathecake@gmail.com> wrote:
> On 10 July 2014 18:35, Brian Smith <brian@briansmith.org> wrote:
>>
>> On Thu, Jul 10, 2014 at 4:08 AM, Jake Archibald <jaffathecake@gmail.com>
>> wrote:
>> > In ServiceWorker, this means:
>> >
>> > importScripts('http://...'); - fails
>> > fetch('http://...'); - fails
>> > cache.add('http://...'); - fails
>> >
>> > …as they're all CORS dependant.
>>
>> Anything mixed-content with ServiceWorker should always fail, because
>> ServiceWorker would fall under the rule "mixed content is forbidden
>> from anything new we add to the web platform." This would include, in
>> particular, even <img> requests handled by a ServiceWorker.
>
>
> One of the problems with Appcache is you had to rearchitect your site around
> it, ServiceWorker mustn't be like that.

Fixing passive mixed content issues is not the same as rearchitecting
your site, though I agree it can be a lot of work.

> …none of the above should cause images to fail in cases where they wouldn't
> without a serviceworker. The <img> should decide whether it should accept or
> deny the response, not the serviceworker. If the HTTP image request requires
> cors (<img crossorigin>) it should fail in all 3 cases. If it doesn't
> require cors, it should create a mixed content warning in all 3 cases.
>
> Mixed content will be opaque (like all responses to no-cors requests), it's
> down to the eventual consumer (<img>, <script>, @font-face etc) whether to
> block or allow.

Why? I think it is not worth supporting the edge case of a site that
has passive mixed content AND is progressive enough to be using
ServiceWorker AND is unwilling/unable to get rid of the passive mixed
content fixed. If nothing else, the security analysis of
ServiceWorkers is a lot clearer if mixed content doesn't have to be
considered. And, ServiceWorkers is a good carrot to motivate sites to
fix their mixed content issues.

Cheers,
Brian

Received on Tuesday, 22 July 2014 07:00:55 UTC