Re: [MIX]: Expand scope beyond TLS/non-TLS (Re: "Mixed Content" draft up for review.) from Mike West on 2014-06-05 (public-webappsec@w3.org from June 2014)

From: Mike West <mkwst@google.com>
Date: Thu, 5 Jun 2014 14:48:43 +0200
To: Brian Smith <brian@briansmith.org>, Zack Weinberg <zackw@cmu.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=fwbd7KYCRM2M1Sb5KgMa9cY9Zr1ewXyLf9Cb60OeQzPA@mail.gmail.com>

https://github.com/w3c/webappsec/commit/d635094f4e6f6a27fd565f63c9570858de27172b
is a first pass at making this change. The draft at
http://w3c.github.io/webappsec/specs/mixedcontent/ has been updated
accordingly; it's probably easier to read there. :)

WDYT?

+Zach to join threads.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Wed, Jun 4, 2014 at 10:15 AM, Mike West <mkwst@google.com> wrote:

> Thanks Brian! Forking your suggestions into separate threads for my own
> sanity. :)
>
> On Tue, Jun 3, 2014 at 6:31 PM, Brian Smith <brian@briansmith.org> wrote:
>
>> Change 1: I would like to have the scope expanded beyond TLS-protected
>> vs. non-TLS-protected. In particular, I'd like to see Firefox's rules for
>> blocking file:// subresources in non-file://-documents incorporated into
>> the specification. I'd also like to see the MSIE11's zone rules for local
>> (intranet) vs. non-local (internet) servers considered for incorporation
>> (something that Firefox is also working on adopting). This way, the
>> specification would completely document/define which origins a subresource
>> could be loaded from as a function of the document's origin. This would
>> also solve the problem with defining "assumed secure origin."
>>
>
> I think this makes sense. I certainly focused on TLS/non-TLS in the draft,
> but that does create problems such as those you've pointed out. I'll work
> on updating the draft.
>
> 'file:' URLs should certainly be blocked from web addresses, as should
> internal IP addresses (as defined by RFC1918). There's some discussion on
> the Chromium bug tracker at
> https://code.google.com/p/chromium/issues/detail?id=378566. Is there a
> similar discussion I could follow on Bugzilla?
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>

Received on Thursday, 5 June 2014 12:49:32 UTC