W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: "Mixed Content" draft up for review.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 3 Jun 2014 08:17:16 +0200
Message-ID: <CADnb78jkVes6ftzarOODv3-t2Pw9Pvs9TgoEej2Rch3HSy-HxA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>, Brad Hill <bhill@paypal.com>, Dan Veditz <dveditz@mozilla.com>, Ryan Sleevi <rsleevi@chromium.org>, palmer@chromium.org
On Mon, Jun 2, 2014 at 3:30 PM, Mike West <mkwst@google.com> wrote:
> On Mon, Jun 2, 2014 at 2:55 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> True, and the same goes for only checking top. However, the current
>> algorithm does not do that. It returns as soon it verifies the current
>> document.
>
> I think we need both. Consider http://a.com -> https://b.com -> data: ->
> http://c.com
>
> Before loading c, we check the parent, which is a secure context because of
> b.com. If we only checked a.com, we'd allow c.com to load. I don't think we
> want that.

Again, https://w3c.github.io/webappsec/specs/mixedcontent/#categorize-environment
step 1 says if the environment is TLS-protected, you return true. And
you are not checking the parent in step 2 (which would not be reached
if the current environment was secure), you check the top.


-- 
http://annevankesteren.nl/
Received on Tuesday, 3 June 2014 06:17:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC