W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [referrer] HTTPS->HTTP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 24 Oct 2014 08:59:12 +0200
Message-ID: <CADnb78gnQvT5umaMsYNr1TjS_6yGZWXzGyibJKZsk1ApiqX1Lg@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Fri, Oct 24, 2014 at 8:50 AM, Mark Nottingham <mnot@mnot.net> wrote:
> I think the issue here is that the replacement for a hack (that works) is a more general, less precise mechanism.

I guess that's fair, though we are slowly moving to a world where you
cannot have mixed content so the only real leak would be navigation
anyway. But yes, it does seem quite bad to meanwhile leak the path to
the network through unauthenticated images. That should be addressed
somehow. Perhaps the policy, if less strict, should not affect
unauthenticated subresources.

Received on Friday, 24 October 2014 06:59:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC