W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2014

Re: SRI, cache validation and ServiceWorkers

From: Alex Russell <slightlyoff@google.com>
Date: Mon, 19 May 2014 15:20:15 -0700
Message-ID: <CANr5HFUJtokmtbeU3V3R2hvKYPWr9041a02_Zxdspy03KgHXJQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, May 19, 2014 at 12:37 AM, Anne van Kesteren <annevk@annevk.nl>wrote:

> On Mon, May 19, 2014 at 9:12 AM, Yoav Weiss <yoav@yoav.ws> wrote:
> > Obviously, full TLS provide better user protection (for any kind of
> MITM),
> > but I think the above scheme can be used to mitigate SW specific MITM
> > threats, and enable SW over TLS.
> >
> > Thoughts?
> I don't think we ever thought it would not be possible to have service
> workers outside HTTPS given sufficient patching, it's just not clear
> that making it substantially different is a good tradeoff. And sites
> that use service workers ought to be using HTTPS anyway.

What Anne said. The can(s) of worms that it opens are messy, the
mitigations not sufficiently less onerous than SSL, and the benefits

Secure-origins are where it's at. The world needs to be encrypted and we're
going first.

Received on Monday, 19 May 2014 22:21:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC